08-29-2019 08:20 AM
We are doing some testing with a user that is running a client and needs to get out to the internet.
1. We have a policy for testing and added the required FQDN address objects to the destination. This was successful.
2. Next, we removed the address objects from the destination (replaced that with "any") and moved them to be part of an existing URL category group. We then added this URL category group to the testing policy. This has worked for us when testing in the past, but does not work now.
Why would something work when added as an address object but not when it's part of a URL category group? Am I missing something?
Thank you!
08-29-2019 11:31 PM
@TLineberry: That's expected behavior. The system needs to see the URL to match it agains your URL filter.
In TLS, the URL is part of the encrypted payload, if you're lucky and the server hosts multiple websites, it may use TLS-SNI. So you need to decrypt the traffic, to see the URL. When you use a FQDN address object, the palo simply does a dns forward lookup and whitelists the IP - that's independent from any URLs and works e.g. for CIFS traffic, which doesn't use URLs as well.
08-29-2019 08:47 AM
@TLineberry Which L7-Applications are you using in that policy?
08-29-2019 10:25 AM
Hello,
Are you decrypting the traffic? If yes and you are not running version 9.0.x, the nyou will also need to add web-browsing and set the service ports to 443 and 80 for web-browsing. Also check the logs to see why its getting blocked. Could be a new application blocking the traffic.
Regards,
08-29-2019 10:59 AM
Hi,
We are not decrypting the traffic. Checked the logs and we don't see anything, no other apps, etc. It's very odd!
I just don't know why it would work when using destination address objects but not when using objects in a URL category...
08-29-2019 11:01 AM
Also check the URL logs to see if its blocking on the catagory the URL is in.
08-29-2019 11:31 PM
@TLineberry: That's expected behavior. The system needs to see the URL to match it agains your URL filter.
In TLS, the URL is part of the encrypted payload, if you're lucky and the server hosts multiple websites, it may use TLS-SNI. So you need to decrypt the traffic, to see the URL. When you use a FQDN address object, the palo simply does a dns forward lookup and whitelists the IP - that's independent from any URLs and works e.g. for CIFS traffic, which doesn't use URLs as well.
02-18-2023 11:12 AM
Hi @Chacko42 ,
I have observed Palo Alto PANOS 10.2.1 dropping the traffic even when it sees the same domain in the SNI field of the Client Hello packet, that is configured in the security policy allow rule, under URL Category field. And thus the website does not open at client's end. It is still unclear as to why the firewall is not able to match the two exactly same domains.
Please note that it is different from seeing in your browser "Your connection is not private" kind of message. In such case, the problem is that the SSL certificate offered by the server in response to the Client Hello packet, does not match the name of the domain initially requested by the client. While, my scenario is different, where the website does not open at the first place and we see the traffic blocked by the interzone-default rule of Palo Alto firewall.
Any idea why does it happen?
02-18-2023 12:21 PM
@Chacko42 please also note that I don't have URL filtering or SSL inspection enabled. So firewall is relying solely on the SNI information contained in the packet which is exactly the same as the one configured in the allow rule, however the firewall is still unable to match one with the other.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
