PaloAlto Firewall App and URL Category mismatch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PaloAlto Firewall App and URL Category mismatch

Hello Everyone,

 

In PA Firewall logs I am noticing the strange behaviour of the App and URL Category. I have blocked the social networking sites in the policy. But Facebook-based applications are categorized under any; sometimes it is categorized as social networking and blocking traffic.

 

Can someone face this issue before? What is the solution to fix this categorization issue? 

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @lakshmipathimurugan

 

thank you for the post.

 

The behavior you described is expected. The below KBs describe what URL category "any" means:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UP1CAM&lang=en_US%E2%80%A...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm08CAC

 

If your ultimate goal is to block Facebook, then I would create 2 security policies. One policy to block application: facebook-base and another to block URL category: social-networking. In this way either of the policy will be hit to deny Facebook related traffic regardless it is detected as application or URL category.

 

With your current policy: "Block Streaming Media-App Based" the issue I am seeing, to block this traffic, Firewall has to decode application as "facebook-base" and have enough information to categorize URL category as "social-networking". If Firewall can't categorize URL category, this policy will not be hit.

 

If your goal is to go more granular and block only some of the Facebook application, you will have to enable decryption.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thanks, @PavelK.

 

I created the two deny policies (one with facebook-base application and other one with social-networking). Still traffic are allowing with internet any policy by matching URL category as any.

 

I would like to know why still traffic bypassing these two rules? and allowing in internet policy. 

If decryption is the only solution, I am thinking about basic firewall functioning..!

Cyber Elite
Cyber Elite

Thank you for reply @lakshmipathimurugan

 

could you confirm what actual user experience is? Where you able to confirm that Facebook traffic is not blocked? Some of the traffic will have a URL category as any until Firewall has enough traffic to go through to properly categorize it, this should however eventually result traffic being blocked by matching right policy. Before that happens some of the logs will have category any. 

 

To block Facebook traffic, decryption is not required, the Facebook traffic will be categorized based on initial SSL handshake by looking into SNI of certificate.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 2140 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!