08-29-2012 10:32 AM
If I were to enter multiple subnets (ex: 218.65.30.0/24) as entries in a Custom URL Category, will those entries been seen as the entire subnet or will they be seen as a URL (http://218.65.30.0/24)? I ask this because I'm looking at creating an outbound block/deny policy based off custom URL categories and I want to make sure I am actually blocking this entire subnet. I am also looking at the possibility of creating this list as a Region and then blocking that region. It seems silly to create an address object for each one and then add them all to an address group, which I know can be done automatically through scripting to save time, but I was wondering if the above scenario would do what I need. Thanks
08-29-2012 02:17 PM
To block the subnet the correct way is to block at dstip and not dsturl.
However even if a real browser shouldnt be able to connect to a different ip than the one stated in the url request (I mean if you type http://5.6.7.8/ in your browser the browser will try to connect to dstip 5.6.7.8) there could be various malwares and possible other cases of where http is being used as a protocol but where the dstip is for example 1.2.3.4 but the requested url is http://5.6.7.8/ for a particular request (or "Host: 5.6.7.8" for that matter).
A question related to this, does PA have a IPS-signature against if a client performs a request towards dstip 1.2.3.4 but the url requested is http://5.6.7.8/ (or rather "Host: 5.6.7.8") and is this signature valid for both IPv4 and IPv6?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
