10-21-2016 07:18 AM
PANOS 7.0.4 and I'm struggling to do something that feels basic 🙂
I need to allow anything on the LAN access to
as per https://community.sophos.com/kb/en-us/121936
Right now we use captive portal but of course machines might try to update when nobody is logged in on them.
I can't add "address" objects for entire domains (can I?!) and if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.
Feels like I've overlooked something daft... thanks!
10-26-2016 12:21 PM
Thanks but that doesn't work, I guess Sophos Central isn't quite the same app.
Using the URL filter on a rule that only applies to my own PC I'm seeing Dropbox and other random stuff match the rule.
Tbh I didn't expect that something that on paper looks so simple would prove so difficult for a Palo Alto box.
10-28-2016 06:27 AM
@networkadmin wrote:...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.
Feels like I've overlooked something daft... thanks!
How are you "adding the URL categpry?" Are you adding it in the security policy or in a URL profile?
10-28-2016 07:08 AM
@Brandon_Wertz wrote:@networkadmin wrote:...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.
Feels like I've overlooked something daft... thanks!
How are you "adding the URL categpry?" Are you adding it in the security policy or in a URL profile?
Trying on the security policy as if I try adding on a URL profile it would have the effect of blocking everything else.
10-28-2016 11:43 AM
I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.
You said you created a security policy with ANY source / dest / application. That uses service http/https.
What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?
Since you've got an any / any /any rule it's natural for the other traffic to match this rule. It's only until the domain matching occurs that traffic would transition to a different rule in your firewall. All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.
10-28-2016 12:00 PM
@Brandon_Wertz wrote:I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.
You said you created a security policy with ANY source / dest / application. That uses service http/https.
What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?
Since you've got an any / any /any rule it's natural for the other traffic to match this rule. It's only until the domain matching occurs that traffic would transition to a different rule in your firewall. All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.
Thanks for the reply and hopefully this will clarify.
I'm adding the URL category to the Service/URL category tab on the security policy rule.
10-28-2016 12:26 PM
I think what @Brandon_Wertz is saying is that additonal traffic would hit this rule and match until it actually did the URL check. You would then need to have a rule after this one that would allow your other traffic to actually work, otherwise it would drop into the default 'deny' rule and your traffic would drop off.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
