- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-03-2023 02:51 PM
An employee placed a space in an EDL we use for blocking illicit sites and caused a widespread web outage in one physical location, but other sites ingesting the same EDL just fine. The main difference between locations is the code versions. I was curious if spaces in URL type EDLs are handled differently between PanOS code versions.
A Threat Intel user submitted an entry into the source of our EDL that was formatted as *. example.com/etc, which you may notice has a space between *. and example.com. On a firewall running 8.1 code, this space was interpreted as two separate entries of *. and example.com/etc. The entry of *. made all traffic with a '.' in it (which is everything) become blocked. Users were not able to access any resources via URLs through this firewall.
At two locations running 9.1 code using the same list for blocking, there were no issues at all. Reviewing EDL update times, the 8.1 and 9.1 sites all updated the EDL successfully within 2 minutes of each other. This would indicate all of these firewalls had to have processed the new entry, but differences in functionality using the space appears to be drawn between versions (8.1 and 9.1). Unfortunately, I did not look at the value on the functioning sites until after it had been corrected, which provided no insight. Removing the space in the URL entry fixed the broken site.
Is there a difference between major revisions in how spaces are handled in URL EDLs? I could not find a KB article explaining any. I'll probably test it myself to look for a difference, but wanted to check here first, in case someone has tested this before. Thanks for any info!
08-03-2023 09:08 PM
Hello, Melewis
In general, when working with URLs or EDLs, spaces can cause unintended issues, and how they are handled can vary between different software versions and platforms. It is not uncommon for different major revisions of software to introduce changes in how they interpret and handle various input formats, including URL EDLs.
When you observed that the space in the URL entry caused an issue on a firewall running 8.1 code but not on firewalls running 9.1 code, it is possible that the two versions handle spaces differently. The handling of spaces in URL entries might be considered as a bug or a feature change introduced in newer software versions to improve parsing and processing.
Testing it yourself is a good idea to verify the behavior in your specific environment, but it's also essential to review the release notes, known issues, and support documentation for each major revision of the software to understand any changes related to URL EDL handling. Additionally, reaching out to the vendor's support or community forums might also provide valuable insights from other users' experiences.
Keep in mind that changes in software behavior can have significant impacts, as you experienced with the widespread web outage. Therefore, it's crucial to be cautious when making configuration changes or upgrading software versions in a production environment, especially when working with security-related features like EDLs.
Always follow best practices for testing changes in a controlled environment before applying them to the production environment to minimize the risk of unexpected disruptions.
I hope you Like My answer .
Thank You,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!