Dynamic URL Filtering when policy matching on URL

cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic URL Filtering when policy matching on URL

L2 Linker

Hi,

We're using dynamic URL filtering (ie the "cloud" database") within our URL-filtering profiles.  Within PAN-OS 4.1 there is now the option to match on URL category within security policies, but no checkbox there to use the Dynamic Filtering.  So, if I try and access a URL thats not in the local database, does the firewall still go and query the cloud for that policy?

tks

Liam.

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

Hi Liam,

Excellent point - we also discovered this recently and the bug fix is targeted for the next maintenance release.  You should find more information in the release notes once it is available, but I'll also post more information at that time.

Thanks,

Doris

View solution in original post

3 REPLIES 3

L6 Presenter

I think the dynamic filtering is a global option in order to if you want to "leak" to the cloud which urls your clients are browsing to or not (along with to get a better hitrate since the downloadable db of url-categories are just the top1000 or similar per category).

But I could agree that it might be a nice feature to be able to do this both on global but also at security rule level - the question here will then be, which setting will be the judging one? Will the global setting overrule the local security rule setting or would the local security rule setting overrule the global setting?

L5 Sessionator

Hi Liam,

Excellent point - we also discovered this recently and the bug fix is targeted for the next maintenance release.  You should find more information in the release notes once it is available, but I'll also post more information at that time.

Thanks,

Doris

View solution in original post

Hi Liam,

You may have noticed it already, but the aforementioned bug was addressed in the 4.1.3 release, which is now generally available.  If you are using URL categories as part of your match criteria and would like to enable dynamic lookups as part of that process, you can use the following CLI command to do so:

set devconfig setting url dynamic-url yes

Hope this helps,

Doris

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!