I'm trying to change my rules for allowing outgoing SFTP connections from using IP's to using URL's as more and more vendors are going to AWS and such and locking into an IP address doesn't work. I cloned my current working rule which says server x.x.x.10 can connect to IP's z.z.z.1, z.z.z.2, etc using the applications SSH and enhanced file transfer. I then got rid of the destination IP's setting it to "Any" and added URL Category "SFTP Safe" under "Service/URL Category". I made sure the URL's I needed to connect to were listed in the "SFTP Safe" URL Category. Committed and when I test it passes right through that rule and hits my "Deny All" rule at the end. Yet if I adjust that same rule from "Allow" to "Deny" and run the test again it is still denied but when I look at the monitor it shows it is now denied by the new rule as I would expect. To test additionally I set up a rule the denied web traffic to my URL Category "test", set it at the top of the rules and added cnn.com to that url category. Bang it worked, but when I set the rule to allow it will work but when I check the monitor it shows my standard outgoing web traffic rule way down the stack is allowing it. Why does URL Filtering in a Policy only seem to work for a Deny?
Are they URL's or just DNS names. Could you use DNS names as the destination address and SFTP as the application? I would try this way and make sure to put this policy above your general policy to make sure it gets hit. Watch the traffic logs and they will tell you were/if the traffic is getting blocked/denied on your side.
I can't find a PANW doc, but there are a few community posts which state that URL categories in the security policy only work with HTTP and HTTPS.
So, I think the issues stem from trying to apply URL filtering to SFTP. SFTP is not FTP over TLS. So, there will be no URL in the packet.
On a related issue, "On Palo Alto Networks devices, PAN-DB URL Filtering is applied on 2 major protocols: HTTP and HTTPS (SSL)." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0
At least that doc specifically states the required apps. However, it is URL filtering in security profiles, not URL categories in the security policy.
You could try an address group of FQDN objects. I think that is what @OtakarKlier meant. Those will get resolved to IP addresses, but it should work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!