PAN 6.1: Filtering inbound traffic layer 7

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN 6.1: Filtering inbound traffic layer 7

L3 Networker

If I expose a server to the Internet, can I limit traffic at the PAN so that only a specific path can be reached? 

Say permit www.hoho.com/foo.html but deny www.hoho.com/fa.html or any other path?

1 REPLY 1

L7 Applicator

You could use a custom IPS signature that resets connection for traffic that matches the following conditions:

 - host = www.hoho.com or hoho.com

 - uri/path does NOT = foo.html (or does not contain foo.html, or does not equal to /path1/path2/foo.html, etc.) 

 

Matching against www.hoho.com and/or hoho.com will effectively "arm" the signature, and as if the path strays from what is allowed, it will fire, resetting the connection.  If the path matches what is allowed, then the connection will be allowed to flow normally. 

 

You could use a custom AppID signature instead.  The logic would be the same, but the policy would look different.  Instead of "permit web-browsing to webserver with "custom IPS signature" enabled", it would be "permit application=hoho-com to webserver"

 

Honestly not sure which one would be better... I'd recommend trying them both out to see which one more fully meets your needs.  

 

Does this server provide SSL or just HTTP?  If it's SSL, you'll also need to use an Inbound SSL Inspection profile so that the firewall can look inside of SSL and validate the /foo.html part.

 

Documentation for starting points:

 - https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Creating-Custom-Threat-Signatures/ta-p/58569

 - https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Custom-Application-Signatures/ta-p/58625

 

  • 1743 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!