08-16-2013 05:52 AM
Hi,
I'm sure this was working at some stage but now it's not working the way I need it: I have a rule from inside to outside, any user, web-browsing and a URL category of gambling, allow the traffic and use log forwarding with no profiles selected.
The problem is that the URL is matched on ANY traffic. Doing a 'test url' from the command line lists them as " computer-and-internet-info" and the url-cache is looking good. The box is licensed for PAN-DB as well. Any idea what I'm doing wrong?
Thanks
08-17-2013 05:35 AM
This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation
"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."
08-16-2013 06:17 AM
Can you create a URL filtering profile, setting the action to "alert" for "gambling", and applying the URL filtering profile to the rule, instead of matching the URL category of gambling on the rule itself.
08-16-2013 06:30 AM
Here a couple of useful links that explain why creating the URL filtering profile is preferred over adding the category on the rule itself
https://live.paloaltonetworks.com/message/28646#28646
https://live.paloaltonetworks.com/message/23810#23810
https://live.paloaltonetworks.com/docs/DOC-3108
BR,
Karthik RP
08-16-2013 12:12 PM
If i understand it correctly
1. you have PAN-DB URL filtering license
2. In the policy you have gambling as URL category
Question:
The URL that you are going to is it suppose to be categorized as gambling or it is indeed "computer-and-internet-info" . If it is gambling then you can request a URL categorization change request.
Since the URL is not being identified correctly. You can go to the following site to do that
(http://urlfiltering.paloaltonetworks.com/testASite.aspx) or i believe you can also do it directly from the device as well.
If that is not the case and the site you are going to is "computer-and-internet-info" and that is what the test url command is showing but in the traffic policy we are not hitting it correctly.
Then you can try to clear the cache by using the following commands and then test if it is hitting the correct policy
“clear url-cache url <URL>”
“delete url-database url <URL>”
Next time the device will ask for the category of this URL, the request will be forwarded to the cloud.
Let us know if this helps you resolve the issue.
Thank you
Numan
08-16-2013 04:45 PM
Thanks for the replies.
I understand that I can use the profiles but what I'm really trying to find out why this doesn't work with the URL category straight in the rule itself. The URL is www.microsoft.com and correctly identified as "
"computer-and-internet-info". The same thing happens for www.intel.com. I've changed the category to 'adult' and still the same. I've cleared the entire URL cache and deleted the URL database and the rule is still incorrectly triggered. Below is the rule and a log entry for intel.com.
BTW, I've tried this on another PA-200, also 5.0.5 with a similar result.
Thanks
08-16-2013 09:56 PM
Have you had a look at this discussion?
08-16-2013 11:00 PM
I have now but unfortunately it does not solve my problem. I really need to know why something like Intel.com triggers the test rule I created. I understand the logging part but I don't understand why the rule does not work as expected.
08-17-2013 05:35 AM
This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation
"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."
08-17-2013 06:28 AM
Understood. Thanks for the explanation!
08-17-2013 07:31 AM
Try clearing the sessions for that source ip. I have got this working.
>clear session all filter source <source ip>
08-17-2013 09:11 AM
not to see incomplete or etc.. applications hitting that rule only way is to change that rule's logging to session start( not end.) otherwise alhough you clear all sessions this behaviour will not change, you will see unexpected traffic hitting that url category - web browsing rule.
Regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
