Blocking an application for all websites except one

Reply
Highlighted
L3 Networker

Blocking an application for all websites except one

I have an Application filter for Streaming Audio and have created a policy to block it. That's going well but I need to allow http-audio which falls under Streaming Audio for one specific site only.

I have created a URL Filtering security profile with just this URL in the allow list and then created a policy which allows http-audio with the URL filtering profile above my block profile but http-audio from any on the internet can still be played.

url-profile.png

policy.png

Any ideas on how I could get this working would be great.

I'm on software version 5.0.4.

Tags (3)
Highlighted
L5 Sessionator

Create a Custom URL category for this website which includes :

smpte.org

*.smpte.org

Try using the above category in the Specific security-rule configured to allow this website.

Highlighted
L6 Presenter

If you check the traffic log, which policy is matching those other http-audio and allowing them to play?

Highlighted
L5 Sessionator

Check what policy is the other traffic hitting.

Also make sure that the application is showing up as http-aduio in the traffic logs and not as incomplete or insufficient.

If it is showing up as as of the above that does not mean that the traffic is allowed. Please see the doc below for the the definition of them.

https://live.paloaltonetworks.com/docs/DOC-1549

Hope this helps.

Highlighted
L3 Networker

Hi Nadir,

I tried creating the Custom URL Category with the URLS for the website but it didn't work, all http-audio including for the ones played from this website ended up getting blocked.

thanks

Highlighted
L3 Networker

rmonvon and mbutt, it's hitting the smpte policy that's allowing it to play.

In the Traffic logs, they are being classed as http-audio but when I look at the URL Filtering logs, the application is showing web-browsing.

Here are the URL Log screenshots.

url-log-1.png

url-log-2.png

I don't have the screenshots of the traffic logs to show that they are being classified as http-audio but i'll update the ticket with some of the screenshots as well.

thanks

Highlighted
L2 Linker

Out of curiosity are you applying a URL profile to the rule on the Security rule? Wither its by profile or group settings?

Highlighted
L6 Presenter

Looking at the log details, the rule 'Internet Access' is permitting the web-browsing traffic.  I think at the start of the request, the app is identified as web-browsing and the 'Internet Access' rule is allowing it.  The domain is Once the traffic is identified as app=http-audio, it is denied by rule 'Eugene http-audio test'.

I would suggest changing the rule to allow app=http-audio,web-browsing and dest=custom category containing ww.smpte.org and if that would work.  Thanks.

Highlighted
L5 Sessionator

I think it would be best if you look at the session as well. It is quite possible that intiially the traffic is allowed but once the application is determined traffic is getting blocked.

However you can try rmonvon suggestions and see what happens. If that doesnt work then you will need to gather the following

1. Techsupport

2. running config

3. Pcap of the traffic

4. traffic logs

and open a case with support to verify if the signatures for http-audio are up to date.

hope this helps.

thanks

Highlighted
L3 Networker

Hi,

Yes, I'm applying the URL profile on the security rule

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!