- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-27-2022 01:25 AM
Hello Everyone,
In PA Firewall logs I am noticing the strange behaviour of the App and URL Category. I have blocked the social networking sites in the policy. But Facebook-based applications are categorized under any; sometimes it is categorized as social networking and blocking traffic.
Can someone face this issue before? What is the solution to fix this categorization issue?
09-27-2022 06:09 AM
Hello @lakshmipathimurugan
thank you for the post.
The behavior you described is expected. The below KBs describe what URL category "any" means:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm08CAC
If your ultimate goal is to block Facebook, then I would create 2 security policies. One policy to block application: facebook-base and another to block URL category: social-networking. In this way either of the policy will be hit to deny Facebook related traffic regardless it is detected as application or URL category.
With your current policy: "Block Streaming Media-App Based" the issue I am seeing, to block this traffic, Firewall has to decode application as "facebook-base" and have enough information to categorize URL category as "social-networking". If Firewall can't categorize URL category, this policy will not be hit.
If your goal is to go more granular and block only some of the Facebook application, you will have to enable decryption.
Kind Regards
Pavel
09-29-2022 01:38 AM
Thanks, @PavelK.
I created the two deny policies (one with facebook-base application and other one with social-networking). Still traffic are allowing with internet any policy by matching URL category as any.
I would like to know why still traffic bypassing these two rules? and allowing in internet policy.
If decryption is the only solution, I am thinking about basic firewall functioning..!
10-02-2022 12:16 AM
Thank you for reply @lakshmipathimurugan
could you confirm what actual user experience is? Where you able to confirm that Facebook traffic is not blocked? Some of the traffic will have a URL category as any until Firewall has enough traffic to go through to properly categorize it, this should however eventually result traffic being blocked by matching right policy. Before that happens some of the logs will have category any.
To block Facebook traffic, decryption is not required, the Facebook traffic will be categorized based on initial SSL handshake by looking into SNI of certificate.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!