EDL blocking URL

cancel
Showing results for 
Search instead for 
Did you mean: 

EDL blocking URL

L4 Transporter

We have a feed for ELD in Palo Alto. We realised that we add this URL (https://unrealengine.com) this web is been blocked properly, but not "https://unrealengine.com/en-US/donwload.

For example, www.unrealengine.com. The URL part does not block the URI part either, only if you add it as a domain (without the URI part), it blocks effectively.

 

it could be anything related to https decrypt SSL needed?

 

3 REPLIES 3

L4 Transporter

Hi

Yes, this is related to SSL decryption. The firewall can see HTTPS the connection from client to server and detect the server address via certificate CN or SNI values and these do not yet contain the URI part. A few packets later, when TLS session is set up the GET request will be sent with the URI - and this you'll only be able to see if you do decryption.

Hope this helps,

Shai

Cyber Elite
Cyber Elite

Hi @BigPalo ,

 

What @ShaiW  explained is correct, but it is only one part of your problem. I would say the main reason for your issues is how you have defined the URL in the EDL.

Lets break into to pieces:

- Your EDL contain only the domain "unrealengine.com", but this way any sub-domain will not match - this is not specific for PAN FWs, this is how domain and sub-domains works. If you want to block/allow URLs for the domain and any sub-domain you need to have two entries - "unrealengine.com" and "*.unrealengine.com"

- As @ShaiW already explained, if you don't perform SSL decryption firewall actually will never see the full URL. So the URL filtering feature will use the SSL certificate to determine which URL you are trying to reach. And because the SSL contain only the hostname (not the full URL), you can only filter based on domains and sub-domains. So you can still apply URL filtering, but without the complete control of the URI

 

 

 

 

L5 Sessionator

To add to some of the URL Filtering wildcard behavior discussed above, please see previous posts like this one

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!