It's time to allow verified PAN customers to change URL categories for specific websites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

It's time to allow verified PAN customers to change URL categories for specific websites

L2 Linker

Long time PAN Customer with huge PAN deployment, we have a very large user base and get multiple website blocked requests daily. We block Parked and Unknown domains for security purposes, it's worth it. However, there's a large amount of new websites that are rightfully listed as parked or unknown, then updated shortly after, then legit websites are blocked. 

 

It can be frustrating adding specific websites to an allow list for a single day while we wait for the the 24-48 hour re-categorization time for a PAN employee to recategorize the website. Sometimes it takes even longer. I've requested websites at 8:00 AM East coast time, and its approved for the next day (we do all firewall updates nightly, policy). Yesterday, same time and I get no results back from PAN.

 

It's time to allow verified PAN customers to change URL categories for specific websites. 

 

Please make this a feature. I feel the current procedure is out dated and simply not fast enough.

 

Thank you, -Rags

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Create custom URL category.

Allow traffic to this URL.

Add fresh websites into this URL category until Palo categorizes it.

 

If you are not permitted to commit firewall during daytime then just use Objects > External Dynamic Lists and place those URLs into some internal website that Palo can read and update itself even as often as 5 minutes.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Create custom URL category.

Allow traffic to this URL.

Add fresh websites into this URL category until Palo categorizes it.

 

If you are not permitted to commit firewall during daytime then just use Objects > External Dynamic Lists and place those URLs into some internal website that Palo can read and update itself even as often as 5 minutes.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister,

Are there companies that don't allow a commit on the firewall during daytime hours? That would be a terrible experiance just based on the number of things that actually require a commit. 

 

@Rags,

Personally this is a feature that I wouldn't want anyone to have access to, or at the very least only list it as an optional list that can be set. I like the fact that PA actually vets the websites and doesn't allow any customers or outside users to just switch a domains category. If that isn't working then I would do exactly what Raido is recommending for your own company, but that doesn't mean that I would want any one customer changing categories and getting those pushed to all of my firewalls without someone from PA doing some QA on the category listing. 

Create custom URL category.

Allow traffic to this URL.

Add fresh websites into this URL category until Palo categorizes it.

 

 

> This is literally what I want to stay away from. Then after a year you end up with 150-200 domains and you're not sure which domains can be removed or need to stay. Yeah I get it, it's not very difficult... also not difficult for PAN employee to check a single website and to see it needs recategorized and approve the request within 12 hours...

 

 

If you are not permitted to commit firewall during daytime then just use Objects > External Dynamic Lists and place those URLs into some internal website that Palo can read and update itself even as often as 5 minutes.

 

 

> Probably will have to go this route. I just think there's enough of a community and large customers in each industry that could help to improve URL filtering. I'm just tired of waiting around for a PAN intern to approve a URL request, or potentionally have to argue that their category is wrong. I would just like to stay away from having to consistently manage lists, whether thats URL Custom Filter Groups or Dynamic Lists.

They do a great job initially, however, domains get purchased --> PAN categories the blank white page website --> domains get built out as something completely different --> incategorized/blocked. 

 

That's not the problem. The problem is that it can take over 24 hours for it to be reclassified. 

 

As far as the Commit during the day goes... it's been a big internal arguement on my end. I feel these devices are designed for commits at anytime. They're security devices just as much as a network firewall. 

@BPry That was the initial issue - commits not permitted during daytime so I suggested External Dynamic Lists.

 

I personally think that this limitation is not reasonable but sometimes big companies have internal policies.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 3164 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!