Within Panorama, while managing client firewalls, routinely the customer wants some variation of the built-in URL category restrictions. While it is great to have so many categories and for the most part they are well apportioned. However, to get around the one off requests for sites to be opened that are in a category that is blocked, it is our policy to build a separate custom whitelist URL Category. It is automatically populated to the URL Filtering at the bottom and we are able to turn it on to allow traffic.
The problem that I am noticing is the top-down reading of the categories will often knee-jerk block a site that is whitelisted later. Occassionally the site gets through, but by and large it does not. To resolve this we often have to either open a category that is undesired or put in a request for a site reclassification that can take a while. Meanwhile the client is either exposed to unwanted traffic or has to wait for the reclassification.
I would like to suggest allowing category shuffling for custom URL categories within the URL Filtering. That will allow a custom category to be moved above its rival built-in category so that it reads the allowance before the block. Or just swith the spawn point of the custom categories to the top instead of the bottom, since they are always desired sites.
Thank you for listening.
In an URL filtering profile your custom categories are actually always processed first. Afterwards the built in categories are processed - there is no top-down processing within URL filtering profiles.
Did you check the exact URL with the URL in your custom category? Does it really match when the problem happens?
As @vsys_remo mentioned top-down actually isn't how this works. An allow action will always take precedence over a deny action when working with the URL Categories. My though would be the same then that you aren't actually including all the necessary URLs in your whitelist entries. Take a look at the URL logs and see what is actually being denied and verify that the entry you've inputted will actually match.
I see what you are saying. When I look at the logs, it shows the site blocked when they do not use the www. at the beginning. That may be because I have a wildcard in the subdomain location and forcing them to put something there to trigger the custom category. I appreciate the follow up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!