For details on cookie usage on our site, read our Privacy Policy
Traffic hitting policy rule it shouldn't
- LIVEcommunity
- Discussions
- General Topics
- Re: Traffic hitting policy rule it shouldn't
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 05:57 AM
Hi,
PanOS 9.1.0
I need to block traffic to certain websites and domains.
I created a URL Category object and put just one site inside (example.com).
I then created a firewall rule like this:
Source zone: LAN
Source address: any
Dest Zone: WAN
Dest address: any
Application: any
Service/URL Category: my URL Category Object
Action: ALLOW
(I put it on Allow because for at first I just wanted to check what traffic is hitting this rule).
I immediately noticed a very high hit count on the rule and when I viewed the rule logs I noticed it is allowing loads of traffic that doesn't relate to example.com
I'm affraid if I put this rule to Block it will block my outgoing traffic.
What am I missing
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-17-2020 06:12 AM
So I changed it to 'www.sega.com' and it worked! thanks! 🙂
So if I was asked to block domains such as abc.com, def.com, ghe.com etc., I must put 'www' at the begining if it's not actually necessery for normal browsing?
Also, does using URL category in policy rules make the PaloAlto perform a reverse DNS lookup on each packet going through the system? and if so doesn't it have a big impact on performace?
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-17-2020 06:28 AM
The URL is defined by website. In the case of an HTTP request to 'sega.com', the website responds with a 301 (Permanently Moved) to 'www.sega.com'. If you are using Chrome, it will hide the 'www.', but if you click on it will show it. If you use Firefox, you will see that you put in 'sega.com' and then it is changed to 'www.sega.com'. You can use Developer tools on either browser to see what the URL should be by following the request URL.
The firewall doesn't attempt to do a reverse DNS lookup on URL categories. The URL is determined by looking by looking at the HTTP headers, the SSL Client Hello SNI, and SSL Server Hello Common Name (CN) of the Server Certificate Subject DN. This behavior changes if SSL decryption is used.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC
- IKE phase 1 not working in General Topics
- VM series firewalls not sending logs to Panorama in General Topics
- Traffic getting hits on non-allowed URLs in General Topics
- Traffic hits on the ruler but does not show on the monitor in General Topics
- Traffic stops hitting when one of two FQDN objects in policy not resolvable in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
