- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
custom url category with non http and https port.
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- custom url category with non http and https port.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-20-2020 11:15 PM
HI,
I Have created custom URL category e.g category name (*.xyz.com) Now I want to create inbound rule like below.
Source zone :- Internet
Destination Zone :- LAN
Destination IP :- Any
Port :- 389 , 4172
URL Categary :- 'Custome category'
Security Profile : Any
My doubt is will this work on port 389 and 4172 port or this will work only on http and https port
Thanks
Dhananjay Bhakte
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-30-2021 12:33 PM
Custom URL categories only work for http and TLS traffic - not only for apps web-browsing and ssl as there are quite a few more that are based on http/tls traffic - but at least for ssh you cannot use a custom URL category.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-21-2020 12:58 AM
Hey,
could you please clarify what you are trying to achieve here? The application and the service are independend of each other. You can easily create a rule allowing SSL and Web-Browsing on port 389 and 4172.
René
// If you like my answer force commit it.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-21-2020 01:42 AM
HI Rene,
I have requirement from customer to open port 389 and 4172 for eg *.xyz domain.
So I created custom category *.xyz.com and have to create rule by calling this category into rule and will allow only 389 and 4172 ports.
As far my understanding url category work only for ssl and web-browsing traffic, so just wanted to know if I keep url category in rule for port port 389 and 4172 will that rule work?
Thanks
Dhananjay
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-21-2020 01:48 AM
Hi,
ok now I got you. So you are correct URL filtering is working with http/https only. Futhermore it is kind of uncommon to have URL filtering active in inwards direction. So I saw the request for port 389 which is basically LDAP, dont know for 4172. However please make yourself familiar with the conecpt of an "application firewall" - we do not open ports anymore. But in term of customers request you are right, this is not going to work.
René
// If you like my answer force commit it.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-21-2020 03:49 AM
Hi @DhananjayBhakte ,
It sounds like you need FQDN not URL.
You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure).
Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering.
To be more precise URL custom category will work with web-based application. If you think for a bit it is logical - firewall needs to know which part of the traffic is the URL, so it doesn't matter what port you are using
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-21-2020 05:50 AM
HI Alexzandar,
Traffic is not URL traffic and its application is not applicable.
For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?
Thanks
Dhananjay Bhakte
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-24-2020 09:04 PM - edited 09-27-2020 09:07 PM
@DhananjayBhakte wrote:HI tellthebell
Traffic is not URL traffic and its application is not applicable.
For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?
Thanks
Dhananjay Bhakte
You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure).
Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-30-2020 06:43 AM
HI Couvertjy,
Now I allow policy as below,
Source Zone :- Internet
Source IP address:- x.x.x.x
Destination Zone :- Lan
Destination IP address:- Any
Custom URL Categary :- *.xyz.com
Port :389 and 8759
Action : Allow
It is working, but my question is still there as *.xyz.com is hosted on internet so how can firewall allowing xyz.com fqdn to access ports on Lan zone through Custom URL category?. So here URL category is acting as source IP . So is it possible that custom url category can act as source or destination IP.
Thanks
Dhananjay Bhakte
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-30-2020 06:46 AM
let me correct my below comment
Source IP also any
Source Zone :- Internet
Source IP address:- any
Destination Zone :- Lan
Destination IP address:- Any
Custom URL Categary :- *.xyz.com
Port :389 and 8759
Action : Allow
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-30-2021 06:13 AM
HI,
In addition to above query, I got new requirement from customer as below
Source Zone : trust
Source user :- abc
Destination Zone :- Untrust(internet)
Destination :- *.ncra.tifr.res.in
Port : 22
Application: SSH
So to achieve above requirement , I have created custom url category as *.ncra.tifr.res.in and created rule as below.
Policy :--
Source Zone : trust
Source user :- abc
Destination Zone :- Untrust(internet)
Destination :- any
Port : 22
url category :- *. ncra.tifr.res.in
Application: SSH
Profile :- None
Action :- Allow
However it is not working.
Note :- Customer dont have fqdn he provided *.ncra.tifr.res.in
So I wanted to know that *.ncra.tifr.res.in custom category not work for application other than web browsing and ssl?
Thanks
Dhananjay
- Fast DNS Resolution Issues in General Topics
- Panorama Upgrade from 9.1.12-h3 to 9.1.13-h3 in Panorama Discussions
- Azure AD Identity Protection Integration custom filter in Cortex XSOAR Discussions
- To use Custom URL categories require a URL filtering license? in General Topics
- Http logs collector example not working in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
