Security Policy Rule matches on ALL URL categories

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Security Policy Rule matches on ALL URL categories

Hi,

I'm sure this was working at some stage but now it's not working the way I need it: I have a rule from inside to outside, any user, web-browsing and a URL category of gambling, allow the traffic and use log forwarding with no profiles selected.

The problem is that the URL is matched on ANY traffic. Doing a 'test url' from the command line lists them as " computer-and-internet-info" and the url-cache is looking good. The box is licensed for PAN-DB as well. Any idea what I'm doing wrong?

Thanks


Accepted Solutions
Highlighted
L6 Presenter

This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation

"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."

View solution in original post


All Replies
Highlighted
L5 Sessionator

Can you create a URL filtering profile,  setting the action to "alert" for  "gambling", and applying the URL filtering profile to the rule, instead of matching the URL category of gambling on the rule itself.

Highlighted
L5 Sessionator

Here a couple of useful links that explain why creating the URL filtering profile is preferred over adding the category on the rule itself

https://live.paloaltonetworks.com/message/28646#28646

https://live.paloaltonetworks.com/message/23810#23810

https://live.paloaltonetworks.com/docs/DOC-3108

BR,

Karthik RP

Highlighted
L5 Sessionator

If i understand it correctly

1. you have PAN-DB URL filtering license

2. In the policy you have gambling as URL category

Question:

The URL that you are going to is it suppose to be categorized as gambling or it is indeed "computer-and-internet-info" . If it is gambling then you can request a URL categorization change request.
Since the URL is not being identified correctly. You can go to the following site to do that

(http://urlfiltering.paloaltonetworks.com/testASite.aspx) or i believe you can also do it directly from the device as well.


If that is not the case and the site you are going to is "computer-and-internet-info" and that is what the test url command is showing but in the traffic policy we are not hitting it correctly.

Then you can try to clear the cache by using the following commands and then test if it is hitting the correct policy

“clear url-cache url <URL>”

“delete url-database url <URL>”

Next time the device will ask for the category of this URL, the request will be forwarded  to the cloud.


Let us know if this helps you resolve the issue.

Thank you

Numan

Highlighted
L1 Bithead

Thanks for the replies.

I understand that I can use the profiles but what I'm really trying to find out why this doesn't work with the URL category straight in the rule itself. The URL is www.microsoft.com and correctly identified as "

"computer-and-internet-info". The same thing happens for www.intel.com. I've changed the category to 'adult' and still the same. I've cleared the entire URL cache and deleted the URL database and the rule is still incorrectly triggered. Below is the rule and a log entry for intel.com.


BTW, I've tried this on another PA-200, also 5.0.5 with a similar result.


Thanks



rule.PNG

log.PNG

Highlighted
L6 Presenter

Have you had a look at this discussion?

https://live.paloaltonetworks.com/message/16814#16814

Highlighted
L1 Bithead

I have now but unfortunately it does not solve my problem. I really need to know why something like Intel.com triggers the test rule I created. I understand the logging part but I don't understand why the rule does not work as expected.

Highlighted
L6 Presenter

This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation

"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."

View solution in original post

Highlighted
L1 Bithead

Understood. Thanks for the explanation!

Highlighted
L4 Transporter

Try clearing the sessions for that source ip. I have got this working.

>clear session all filter source <source ip>

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!