This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

EDL blocking URL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

EDL blocking URL

BigPalo
L4 Transporter

‎08-26-2021 03:37 AM

We have a feed for ELD in Palo Alto. We realised that we add this URL (https://unrealengine.com) this web is been blocked properly, but not "https://unrealengine.com/en-US/donwload.

For example, www.unrealengine.com. The URL part does not block the URI part either, only if you add it as a domain (without the URI part), it blocks effectively.

 

it could be anything related to https decrypt SSL needed?

 

0 Likes Likes
3 REPLIES 3

ShaiW
L4 Transporter

‎08-26-2021 05:16 AM

Hi

Yes, this is related to SSL decryption. The firewall can see HTTPS the connection from client to server and detect the server address via certificate CN or SNI values and these do not yet contain the URI part. A few packets later, when TLS session is set up the GET request will be sent with the URI - and this you'll only be able to see if you do decryption.

Hope this helps,

Shai

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎08-26-2021 05:55 AM

Hi @BigPalo ,

 

What @ShaiW  explained is correct, but it is only one part of your problem. I would say the main reason for your issues is how you have defined the URL in the EDL.

Lets break into to pieces:

- Your EDL contain only the domain "unrealengine.com", but this way any sub-domain will not match - this is not specific for PAN FWs, this is how domain and sub-domains works. If you want to block/allow URLs for the domain and any sub-domain you need to have two entries - "unrealengine.com" and "*.unrealengine.com"

- As @ShaiW already explained, if you don't perform SSL decryption firewall actually will never see the full URL. So the URL filtering feature will use the SSL certificate to determine which URL you are trying to reach. And because the SSL contain only the hostname (not the full URL), you can only filter based on domains and sub-domains. So you can still apply URL filtering, but without the complete control of the URI

 

 

 

 

0 Likes Likes

LAYER_8
L5 Sessionator

‎08-26-2021 09:30 AM

To add to some of the URL Filtering wildcard behavior discussed above, please see previous posts like this one

Help the community! Add tags and mark solutions please.
0 Likes Likes
  • 2653 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks