Security Policy Rule matches on ALL URL categories

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Policy Rule matches on ALL URL categories

L1 Bithead

Hi,

I'm sure this was working at some stage but now it's not working the way I need it: I have a rule from inside to outside, any user, web-browsing and a URL category of gambling, allow the traffic and use log forwarding with no profiles selected.

The problem is that the URL is matched on ANY traffic. Doing a 'test url' from the command line lists them as " computer-and-internet-info" and the url-cache is looking good. The box is licensed for PAN-DB as well. Any idea what I'm doing wrong?

Thanks

1 accepted solution

Accepted Solutions

This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation

"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."

View solution in original post

10 REPLIES 10

L5 Sessionator

Can you create a URL filtering profile,  setting the action to "alert" for  "gambling", and applying the URL filtering profile to the rule, instead of matching the URL category of gambling on the rule itself.

L5 Sessionator

Here a couple of useful links that explain why creating the URL filtering profile is preferred over adding the category on the rule itself

https://live.paloaltonetworks.com/message/28646#28646

https://live.paloaltonetworks.com/message/23810#23810

https://live.paloaltonetworks.com/docs/DOC-3108

BR,

Karthik RP

L5 Sessionator

If i understand it correctly

1. you have PAN-DB URL filtering license

2. In the policy you have gambling as URL category

Question:

The URL that you are going to is it suppose to be categorized as gambling or it is indeed "computer-and-internet-info" . If it is gambling then you can request a URL categorization change request.
Since the URL is not being identified correctly. You can go to the following site to do that

(http://urlfiltering.paloaltonetworks.com/testASite.aspx) or i believe you can also do it directly from the device as well.


If that is not the case and the site you are going to is "computer-and-internet-info" and that is what the test url command is showing but in the traffic policy we are not hitting it correctly.

Then you can try to clear the cache by using the following commands and then test if it is hitting the correct policy

“clear url-cache url <URL>”

“delete url-database url <URL>”

Next time the device will ask for the category of this URL, the request will be forwarded  to the cloud.


Let us know if this helps you resolve the issue.

Thank you

Numan

Thanks for the replies.

I understand that I can use the profiles but what I'm really trying to find out why this doesn't work with the URL category straight in the rule itself. The URL is www.microsoft.com and correctly identified as "

"computer-and-internet-info". The same thing happens for www.intel.com. I've changed the category to 'adult' and still the same. I've cleared the entire URL cache and deleted the URL database and the rule is still incorrectly triggered. Below is the rule and a log entry for intel.com.


BTW, I've tried this on another PA-200, also 5.0.5 with a similar result.


Thanks



rule.PNG

log.PNG

L6 Presenter

Have you had a look at this discussion?

https://live.paloaltonetworks.com/message/16814#16814

I have now but unfortunately it does not solve my problem. I really need to know why something like Intel.com triggers the test rule I created. I understand the logging part but I don't understand why the rule does not work as expected.

This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation

"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."

Understood. Thanks for the explanation!

L4 Transporter

Try clearing the sessions for that source ip. I have got this working.

>clear session all filter source <source ip>

not to see incomplete or etc.. applications hitting that rule only way is to change that rule's logging to session start( not end.) otherwise alhough you clear all sessions this behaviour will not change, you will see unexpected traffic hitting that url category - web browsing rule.

Regards.

  • 1 accepted solution
  • 7802 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!