- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-20-2016 12:17 PM - edited 12-20-2016 12:18 PM
All,
Does anyone know a way to setup source-based Custom URL Lists containing domains as an alternative to using source-based IP addresses and address groups? I don't think it's possible in any of the current versions of PAN-OS but i am looking at options.
For example, if i want to limit inbound SMTP to our edge Exchange server from the Microsoft Exchange Online cloud, I have to add 24 IP addresses that resolve to *.outbound.protection.outlook.com. It would be a way better solution to just allow IP's that all resolve to a *.outbound.protection.outlook.com contained in a Custom URL.
Am I just missing something here? Is there a better way to do this?
-Matt
12-20-2016 08:33 PM
URL categories can be used for web-browsing traffic not SMTP.
For other traffic you can use IP's or address objects. Address object can be FQDN so name.
Most likely this will not resolve your wish to match *. addresses.
Palo Alto has tool MimeMeld ( https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld ) that can pull info from diferent sources (for example MS IP list https://support.content.office.net/en-us/static/O365IPAddresses.xml ) and Palo can pull this info from MimeMeld and you can use this data in source ip address field of your policy.
12-20-2016 08:33 PM
URL categories can be used for web-browsing traffic not SMTP.
For other traffic you can use IP's or address objects. Address object can be FQDN so name.
Most likely this will not resolve your wish to match *. addresses.
Palo Alto has tool MimeMeld ( https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld ) that can pull info from diferent sources (for example MS IP list https://support.content.office.net/en-us/static/O365IPAddresses.xml ) and Palo can pull this info from MimeMeld and you can use this data in source ip address field of your policy.
12-21-2016 10:03 AM
This offers some clarity to URL categories as I was always curious on web-browsing/ssl traffic or say a protocol like SMTP using TLS1 (ssl). This actually make much more sense now going forward.
You are right by saying using FQDN will not work as I cannot use *.domain.com in it which is what really i want to be able to do. Ulitimately i ended up adding the 24 host subnets which resolves the issue, but being able to do wildcard source domains would be way cleaner as unless the domain and subdomains change completely, you would never have to update a IP list again.
I will take a look at the MineMeld tool as well. I wanted to look at this in the past, I just ran out of cycles to do so.
Thanks for this!
Matt
12-21-2016 10:41 AM
Few more bits.
URL category is compared to HTTP GET request field.
If you don't decrypt SSL/TLS then this flies by in encrypted payload and Palo can only read data on certificate and compare this to URL category.
FQDN resolves name to IP's (like if you run nslookup www.microsoft.com from command prompt) and it is impossible to resolve *.microsoft.com against dns server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!