I'm seeing some different behavior from our firewall on 8.0 code. I've got a few rules setup wtih both security URL profiles, and the URL category column. I've got a few custom URL categories made that match certain traffic. What I'm finding is that the second I include a category in the URL column, even if my URL profile has the custom categories set to "NONE", the firewall is not matching expected rules. We've verified that adding the custom categories to the ruleset does indeed solve the problem, and causes a match. My question is, is there an option or way to have the URL Category column not consider the custom categories that are made? OR- is it in fact the case that once you add them into a security rule, that's it, you are now evaluating against all URL categories, in EVERY rule, even your custom built ones, if you've added anything into the URL Category Column . We are looking at matching rules based on groups and URL's, and if a user is in multiple groups, they would never not match one of the rules. URL categories would solve this matching problem, but not if creating a new custom category breaks other rules, or creates more work of manually adding that into a rule every time you create it. Thoughts?
Could you maybe give an example with your actual rules and where the problem is you describe here? At least for me it's hard to understand what you are trying to do or where the problem of the not matching rules reside.
What I can say right now is only that an URL profile is not a matching criteria in security policy rules. If you want to force specific categories to be processed by a specific rule you need to add the (custom) category directly into the rule. But I assume this wasn't very helpful to you 😛
Thanks for the reply remo! I want a rule where I can match on the security policy (URL category column), AND log on that URL traffic- which from my understanding means you have to have a URL profile in that same ruleset.
An example of this would be if a user is in both layer 1 and layer 2 groups , but you have a block for layer 1 users on auctions in Rule 1, but for layer 2 users you have an allow-in Rule 2. In all of these rules with associated profiles, you have your custom categories set to "none". If I make a new custom URL category, and use that custom URL category as a match in a rule below any of the previous rules, It affects the ruleset above it, and won't match on the Palo category anymore, it logs it in the Palo logs as the custom category- which is set to "None" in Rule 1 or Rule 2.
What PAN-OS version do you have installed? As far as I understand this does not aound like it should be (as long as you use different URL profiles for the different rules).
Could you try once with logging also the session start to verify if the sessions do not accidentially match on previous rules and then change to the rule where you want it to be processed?
8.1.5-I've tried even removing the URL profiles, and as long as I have a rule 1 with a Palo category traffic gets denied. I've also tried removing all URL profiles, and on rule 1 - including ALL palo URL categories in the URL column (except for the custom ones I've made), Rule 2 is the deny, and then on rule 3 simply adding the two custom categories. This is enough to not cause a match, and the logs will show the custom URL categories that I built getting hit on the deny rule.
The start of the log will show "allowed" and on rule 1 - but the end of the log shows it hitting my custom URL category and hitting rule 2. Allbeit- I can only get this to happen when decryption is turned on, but still, I wouldn't expect this to happen. Is anyone able to replicate this? I've replicated on 3 firewalls now, but only when decryption is on.
This is almost starting to look like - the second you put anything in the URL category column- you are matching against everything you've ever made for a custom URL category, regardless of your predefined Palo Categories---like the firewall is following the -block-allow-custom-cached-predefined- logic anytime you populate the URL category column?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!