05-19-2022 06:16 AM
A group within my company would like access to, we will just call it, xyz.com/blog, but we currently block xyz.com via an EDL based policy. We are also not decrypting this groups traffic as it causes issues with some of their connectivity, so options are limited in that respect.
I added xyz.com/blog to our whitelist just to see if it would work, but it didn't.
Does anyone have any ideas or thoughts on if allowing xyz.com/blog is possible while still blocking xyz.com?
05-19-2022 06:48 AM
Hi @Gareth-Doyle ,
First if all if you want to have such grancular control and allow access to specific resource/directory/URL while blocking everything else at that domain - you must have SSL decryption. There is no way around that and the reason is very simple if you think about it - complete URI is visible only in the HTTP headers, which are encrypted. Without SSL decryption firewall have visibility only until SSL is negotiated. While observing the SSL negotiation FW can extract the SNI from the server certificate and use it for URL filtering. As you imagine SNI contains the hostname if the web site, which means you firewall will never know what actuall reasources are requested by the users unless you decrypt the traffic and allow the FW to inspect the HTTP headers.
Now if you cannot apply SSL decryption and your company accept the risk to allow this specific user group to access everything at xyz.com. You can :
- Create separate Security Rule defining this group as source user and matching URL category xyz.com.
- Apply URL filtering that does not contain your EDL.
- Place this rule above the one that users will usually use for web access to internet
Apart from not having SSL decryption you are facing another problem - the URL filtering profile order.
If given url is matching multiple actions allow, block and alert - always the block action is enforced - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which means if you have URL EDL with action block and you try to exclude specific URL by adding the same URL to category with action alert/allow - it still will be blocked by the EDL, because it is enforced first.
If you use MineMeld for EDL you can manually add entries as whitelist, which will remove the entry before sending it to the output.
08-25-2022 10:01 AM
@aleksandar.astardzhiev , thanks for your reply. I should have replied sooner myself.
I was able to resolve this issue with the original solution actually. The issue (i.e. why it was failing initially) was actually due to Chromium based browser engine and not due to the firewall. However Chromium caches connections, possibly reusing tunnels, etc... was permitting access to the main site only AFTER first visiting the permitted URI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!