- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-11-2022 06:21 AM
We are trying to use DNS wildcards and Custom URL categories to restrict access to certain machines in a security policy. We cannot get it to work and I cannot find any docs that a URL filtering license is required to use Custom URL categories. I have opened a ticket and have to been working with level 1 they haven't provided docs to support my question.
05-19-2022 10:31 AM
I figured it out. You don't need a URL license to use wildcard DNS names. If you are trying locked down access to certain internet sites i.e. Microsoft.com you will need to add the backend sites to the URL category list. (i.e. *.microsoftazuread-sso.com, *.msftauth.net, *.azure.com, etc.) I was able to see the failed access to the MS backend sites by using the developer tools in a browser.
05-11-2022 07:20 AM
Hi @Bill_Allen ,
If you want to use Custom URL as matching criterion in security rule, you don't need URL filtering license.
I am not completely sure if you use the custom URL category in URL filtering profile and assign that profile to security rule, but based on other discussions here in the forum I believe it still will work.
URL filtering license will allow your firewall to query the cloud and check for URL category and apply action based on category. If you don't have license, you don't have category and you cannot determine what action to apply.
Custom URL category is like overrriding the category provided by the cloud. So I am imagine that without license no category from cloud is provided, but because you have custom category, firewall can categorize the URL and apply the action.
05-11-2022 06:22 PM
Can you share the custom-url-category you have tested with and how you built out the security entry? If you're just using the category in your security entry directly, you don't need a license as @aleksandar.astardzhiev mentioned. I know that this hasn't changed in any of the PAN-OS releases.
In later versions (although I don't have an unlicensed instance to test with) I'm not sure that you can actually include custom-url-category lists in the URL Filtering profiles and use the profile in your security entry. They've added a big warning about needing a license for URL Filtering to work since 10.0, and I'm not sure if the profile is analyzed if your box isn't licensed. You can still use the custom-url-category as a category in your policies, but I'm not sure the actual url-filtering profile will work on an unlicensed box.
05-19-2022 10:31 AM
I figured it out. You don't need a URL license to use wildcard DNS names. If you are trying locked down access to certain internet sites i.e. Microsoft.com you will need to add the backend sites to the URL category list. (i.e. *.microsoftazuread-sso.com, *.msftauth.net, *.azure.com, etc.) I was able to see the failed access to the MS backend sites by using the developer tools in a browser.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!