Source Based Custom URL Lists

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Source Based Custom URL Lists

L4 Transporter

All,

 

Does anyone know a way to setup source-based Custom URL Lists containing domains as an alternative to using source-based IP addresses and address groups?  I don't think it's possible in any of the current versions of PAN-OS but i am looking at options. 


For example, if i want to limit inbound SMTP to our edge Exchange server from the Microsoft Exchange Online cloud, I have to add 24 IP addresses that resolve to *.outbound.protection.outlook.com.  It would be a way better solution to just allow IP's that all resolve to a *.outbound.protection.outlook.com contained in a Custom URL.

 

Am I just missing something here?  Is there a better way to do this?

 

-Matt

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

URL categories can be used for web-browsing traffic not SMTP.

For other traffic you can use IP's or address objects. Address object can be FQDN so name.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t...

Most likely this will not resolve your wish to match *. addresses.

 

Palo Alto has tool MimeMeld  ( https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld ) that can pull info from diferent sources (for example MS IP list https://support.content.office.net/en-us/static/O365IPAddresses.xml ) and Palo can pull this info from MimeMeld and you can use this data in source ip address field of your policy.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

URL categories can be used for web-browsing traffic not SMTP.

For other traffic you can use IP's or address objects. Address object can be FQDN so name.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t...

Most likely this will not resolve your wish to match *. addresses.

 

Palo Alto has tool MimeMeld  ( https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld ) that can pull info from diferent sources (for example MS IP list https://support.content.office.net/en-us/static/O365IPAddresses.xml ) and Palo can pull this info from MimeMeld and you can use this data in source ip address field of your policy.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

This offers some clarity to URL categories as I was always curious on web-browsing/ssl traffic or say a protocol like SMTP using TLS1 (ssl).  This actually make much more sense now going forward.

 

You are right by saying using FQDN will not work as I cannot use *.domain.com in it which is what really i want to be able to do.  Ulitimately i ended up adding the 24 host subnets which resolves the issue, but being able to do wildcard source domains would be way cleaner as unless the domain and subdomains change completely, you would never have to update a IP list again. 

 

I will take a look at the MineMeld tool as well.  I wanted to look at this in the past, I just ran out of cycles to do so.  


Thanks for this!

 

Matt

Few more bits.

URL category is compared to HTTP GET request field.

If you don't decrypt SSL/TLS then this flies by in encrypted payload and Palo can only read data on certificate and compare this to URL category.

 

FQDN resolves name to IP's (like if you run nslookup www.microsoft.com from command prompt) and it is impossible to resolve *.microsoft.com against dns server. 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 2922 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!