Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Rule too allow access to group of URLs?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule too allow access to group of URLs?

L4 Transporter

PANOS 7.0.4 and I'm struggling to do something that feels basic 🙂

 

I need to allow anything on the LAN access to

 

  • *.sophos.com 
  • *.sophosupd.com
  • *.sophosupd.net
  • *.sophosxl.net
  • ocsp2.globalsign.com
  • crl.globalsign.com

as per https://community.sophos.com/kb/en-us/121936

 

Right now we use captive portal but of course machines might try to update when nobody is logged in on them.

 

I can't add "address" objects for entire domains (can I?!) and if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

 

Feels like I've overlooked something daft... thanks!

7 REPLIES 7

L4 Transporter

Maybe you can use the AppID "sophos-update" with service "application-default" and URL category "any"?

Thanks but that doesn't work, I guess Sophos Central isn't quite the same app.

 

 

Using the URL filter on a rule that only applies to my own PC I'm seeing Dropbox and other random stuff match the rule.

 

Tbh I didn't expect that something that on paper looks so simple would prove so difficult for a Palo Alto box.

L6 Presenter

@networkadmin wrote:

...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

 

Feels like I've overlooked something daft... thanks!


 

 

How are you "adding the URL categpry?"  Are you adding it in the security policy or in a URL profile?


@Brandon_Wertz wrote:

@networkadmin wrote:

...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

 

Feels like I've overlooked something daft... thanks!


 

 

How are you "adding the URL categpry?"  Are you adding it in the security policy or in a URL profile?


Trying on the security policy as if I try adding on a URL profile it would have the effect of blocking everything else.

 I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.

 

You said you created a security policy with ANY source / dest / application.  That uses service http/https.

 

What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?

 

Since you've got an any / any /any rule it's natural for the other traffic to match this rule.  It's only until the domain matching occurs that traffic would transition to a different rule in your firewall.  All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.


@Brandon_Wertz wrote:

 I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.

 

You said you created a security policy with ANY source / dest / application.  That uses service http/https.

 

What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?

 

Since you've got an any / any /any rule it's natural for the other traffic to match this rule.  It's only until the domain matching occurs that traffic would transition to a different rule in your firewall.  All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.


Thanks for the reply and hopefully this will clarify.

 

I'm adding the URL category to the Service/URL category tab on the security policy rule.

I think what @Brandon_Wertz is saying is that additonal traffic would hit this rule and match until it actually did the URL check. You would then need to have a rule after this one that would allow your other traffic to actually work, otherwise it would drop into the default 'deny' rule and your traffic would drop off. 

  • 3726 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!