To use Custom URL categories require a URL filtering license?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

To use Custom URL categories require a URL filtering license?

L0 Member

We are trying to use DNS wildcards and Custom URL categories to restrict access to certain machines in a security policy. We cannot get it to work and I cannot find any docs that a URL filtering license is required to use Custom URL categories. I have opened a ticket and have to been working with level 1 they haven't provided docs to support my question.

1 accepted solution

Accepted Solutions

L0 Member

I figured it out. You don't need a URL license to use wildcard DNS names. If you are trying locked down access to certain internet sites i.e. Microsoft.com you will need to add the backend sites to the URL category list. (i.e. *.microsoftazuread-sso.com, *.msftauth.net, *.azure.com, etc.) I was able to see the failed access to the MS backend sites by using the developer tools in a browser.

View solution in original post

3 REPLIES 3

Hi @Bill_Allen ,

If you want to use Custom URL as matching criterion in security rule, you don't need URL filtering license.

I am not completely sure if you use the custom URL category in URL filtering profile and assign that profile to security rule, but based on other discussions here in the forum I believe it still will work.

 

URL filtering license will allow your firewall to query the cloud and check for URL category and apply action based on category. If you don't have license, you don't have category and you cannot determine what action to apply.

 

Custom URL category is like overrriding the category provided by the cloud. So I am imagine that without license no category from cloud is provided, but because you have custom category, firewall can categorize the URL and apply the action.

 

 

@Bill_Allen,

Can you share the custom-url-category you have tested with and how you built out the security entry? If you're just using the category in your security entry directly, you don't need a license as @aleksandar.astardzhiev mentioned. I know that this hasn't changed in any of the PAN-OS releases. 

In later versions (although I don't have an unlicensed instance to test with) I'm not sure that you can actually include custom-url-category lists in the URL Filtering profiles and use the profile in your security entry. They've added a big warning about needing a license for URL Filtering to work since 10.0, and I'm not sure if the profile is analyzed if your box isn't licensed. You can still use the custom-url-category as a category in your policies, but I'm not sure the actual url-filtering profile will work on an unlicensed box. 

L0 Member

I figured it out. You don't need a URL license to use wildcard DNS names. If you are trying locked down access to certain internet sites i.e. Microsoft.com you will need to add the backend sites to the URL category list. (i.e. *.microsoftazuread-sso.com, *.msftauth.net, *.azure.com, etc.) I was able to see the failed access to the MS backend sites by using the developer tools in a browser.

  • 1 accepted solution
  • 4646 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!