- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-23-2014 12:03 AM
We are using the BrightCloud URL DB for URL Filtering. Last week we had discovered an issue that users can’t access the URL http(s)://www.haalmeeruitjecard.nl
Searching the PaloAlto we see that is not blocked by the URL Log. BrightCloud says as URL Category “business-and-economy” and that is allowed.
Still the session can’t be setup and we did not see any block page at all.
Further looking we discovered that is blocked by the Anti-Spyware Rule with the Suspicious DNS Query action. We block Suspicious DNS Query query’s.
In the Thread log was reported : Suspicious DNS Query (www.haalmeeruitjecard.nl)!! Uuh this is a normal site here in the Netherlands.
So is it the Threat DB that this is causing??? NO, found out that the URL is marked in the PAN-DB Url Database as malware.
Requested a change for Pan-DB and after this was changed we had no more Suspicious DNS Query’s for this url.
URL: www.haalmeeruitjecard.nl
Previous category: malware
You suggested: financial-services
New category: financial-services
The new categorization is available starting with URL DB version: 2014.09.22.221
Does this mean that the PaloAlto Device is using both URL database’s to provide protection?
Is it than maybe better to migrate to PAN-DB URL Database so that all information is provided from 1 DB?
Thanks for your responses.
Osman Bor
09-23-2014 01:53 PM
Hi Osman,
Yes you are right, PA firewall uses both DB to protect your network. In your example, even though brightcloud categorizes the traffic as business-and-economy, URL in question was categorized as suspicious by PANDB (which turned out to be false positive in this case) and was blocked by our Spyware engine.
Migrating to PANDB might be a good option as we have total control over it, resulting in faster resolution for URL DB issues. Hope that helps. Thank you.
09-23-2014 12:47 AM
Hello Osman,
PAN firewall is having multiple layer of protection on it. Example: The content/packet will be inspected by:
--- URL filtering database ( Bright Cloud or PAN DB) for categorization.
--- Application & Threat database for Vulnerability/DNS signature checking.
--- Antivirus database for virus /ANtispyware checking.
So, if any packet identified with malicious in nature, will be blocked by the above mentioned database.
Thanks
09-23-2014 06:08 AM
Hi Obor,
Please find Virus Total analysis for web site .haalmeeruitjecard.nl, it confirms its not malicious.
Scan report for http://haalmeeruitjecard.nl/ at2014-09-23 13:06:14 UTC - VirusTotal
Make sure your are on latest content. If issue still occurs than please open a case with TAC for false positive. They should fix it.
Changes will be reflected in next couple of days.
Regards,
Hardik Shah
09-23-2014 01:53 PM
Hi Osman,
Yes you are right, PA firewall uses both DB to protect your network. In your example, even though brightcloud categorizes the traffic as business-and-economy, URL in question was categorized as suspicious by PANDB (which turned out to be false positive in this case) and was blocked by our Spyware engine.
Migrating to PANDB might be a good option as we have total control over it, resulting in faster resolution for URL DB issues. Hope that helps. Thank you.
09-24-2014 02:32 AM
Hulk,
Yes it correct what your saying and with the answer of ssharma it looks like this now:
--- URL filtering database ( Bright Cloud or PAN DB) for categorization.
--- Application & Threat database & PAN DB for Vulnerability/DNS signature checking.
--- Antivirus database for virus /ANtispyware checking.
Regards,
Osman Bor
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!