Understanding URL Filtering security profiles vs Rule Action

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Understanding URL Filtering security profiles vs Rule Action

L1 Bithead

Hi!
I have a pretty basic question that I couldn't find the answer to - am hoping that someone could help me understand this.

 

Let's say I have a security rule:

Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=https, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop

 

Would Rule 2 ever get hit at all? 

I was thinking that traffic from 192.168.1.100 to 192.168.2.100 with no URL info would still hit Rule 2, but maybe my understanding is wrong?

 

In addition, I'm a little confused about what Action=Allow or Action=Deny does, when URL filters are configured.
If you have a rule with Action=Allow and URL filtering blocking Gambling sites, and another rule with Action=Deny, same src/dst and URL filtering also blocking Gambling sites, what is the difference between the behavior of these 2 rules?

Thanks!

11 REPLIES 11

Cyber Elite
Cyber Elite

Hello,

The Palo Alto reads policies from top down then left to right. What this means is that all the configured options have to match before the firewall takes action. Once it takes action, it stops evaluating all other policies on that specific traffic. So based on your policies, if 192.168.2.100 is a gambling site, then no it will not be hit/used as the above policy would be hit first. If that IP is not a gambling site, then it is possible that the second policy could get hit/used.

 

As for the actions: 

  • Allow - allows access to the category or site
  • Alert - allows access but also logs the traffic (use this instead of allow)
  • Deny - blocks access to the site or category

Hope this helps!

 

Thank you!

So just to be sure - let's say I have https traffic going from 192.168.1.100 to 192.168.2.100 (and 192.168.2.100 is NOT a gambling site), it would not hit the 1st rule, but would hit the 2nd rule. And if the 2nd rule did not exist, then this traffic would have been dropped by the last rule. Correct?

 

And for the 2nd part of my query, allow me to clarify: I was asking about the Action on the rule itself, not the action within the URL filtering profile.

If you have a rule with Action=Allow (this is the rule action, not on the profile) and URL filtering blocking Gambling sites, and another rule with Action=Deny (this is the rule action, not on the profile), same src/dst and URL filtering also blocking Gambling sites, what is the difference between the behavior of these 2 rules?

Like, how does the action on the rule itself play along with the URL filtering profile?

e.g. 

Rule has action=allow, URL filtering is blocking only gambling sites. 

Rule has action=drop, URL filtering is blocking only gambling sites.

What would be the expected behavior for the 2 scenarios above?

Thanks!

 

(Oh and if you could point me to the reference docs that talks about these scenarios in detail, I would be most happy!)

 

Cyber Elite
Cyber Elite

Hello,

The one thing I forgot to ask was is if the URL filter in the first policy only Gambling sites? If yes, then it would hit the second rule and if the second rule did not exist, it would hit the DENY ALL rule. If you have other URL categories as allowed, then the first rule would be hit if the site is not a gambling site. 

 

As for the second question. If you have URL filtering and some categories are denied but the overall policy is Allow, the any traffic that goes to any of the URL's that are blocked, will be blocked and the rest will be allowed. example: xxx.com is blocked and google.com is allowed via URL filters and the policy is set to Allow. 

 

Hope that makes sense.

Cyber Elite
Cyber Elite

Here are a few links:

Security policy fundamentals

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0

URL filtering implementation and troubleshooting

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0

 

 

 

Thank you so much!! U have been extremely helpful.

In relation to your reply to the 2nd question, you mentioned:

If you have URL filtering and some categories are denied but the overall policy is Allow, the any traffic that goes to any of the URL's that are blocked, will be blocked and the rest will be allowed. example: xxx.com is blocked and google.com is allowed via URL filters and the policy is set to Allow. 

 

How about if the overall policy is set to Drop? Does it just mean:

- Let's say we have URL filtering set to allow all categories but drop gambling sites.

- traffic is going to gambling site --> drop

- traffic going to other sites --> also drop

- traffic with no URL - doesn't match this rule at all, proceed to next rule

 

Is this the right understanding?

 

Cyber Elite
Cyber Elite

Hello,

You are correct on on both statements. Looks like you have a pretty good grasp of the fundamentals.

 

Cheers!

Thank you! So sorry to trouble you again, I really wanted to understand this in much more detail.

So you mentioned early on:

Palo Alto reads policies from top down then left to right. What this means is that all the configured options have to match before the firewall takes action. Once it takes action, it stops evaluating all other policies on that specific traffic.

 

So again with this set of rules:

Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop

 

What are all the scenarios that would cause a packet to match Rule 2?

 

I have thought of one:

If I have traffic from 192.168.1.100 to 192.168.2.100, tcp/443 and does not have any URL info in it (because it's not website traffic), it would not match the 1st rule but would match the 2nd rule, right?

 

And if so, may I say that only traffic/packets that have URL information would match the 1st rule (assuming src/dst/svc matches); traffic that do NOT have URL information (assuming src/dst/svc matches too) would NOT match the 1st rule?

 

Thanks again!

L1 Bithead

To add on to my previous reply, I was also doing more research into Security Profiles in general.

 

Security Profiles (paloaltonetworks.com) states:

When traffic matches the allow rule defined in the security policy, the security profile(s) that are attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.

Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy.

 

So if my understanding of the above is correct, it would mean that Rule 2 would never get hit...? Because even if you have a packet going from 192.168.1.100 to 192.168.2.100 (tcp/443) without any URL information, it would still match the 1st rule..?

 

Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop

Cyber Elite
Cyber Elite

Hello,

If the traffic matched on rule 1 then rule 2 and 3 would not get hit. However there could be scenarios where the traffic does not match rule 1 but matches rule 2.

 

Hope that makes sense.

Thank you! Could you please describe those scenarios where the traffic would not match rule 1 but would still match rule 2? In my previous message, I don't think I really fully understood this line in the Palo user guide that says:

"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy."

Cyber Elite
Cyber Elite

Hello,

Since I didnt read the rules correctly (my bad) and you have Svc=Any, the second rule could be a 'shadow policy'. So it would not be hit. In the newer version of the code, there are 'hit' counters on the policies and it allows you to see ones not used. This is a useful tool to help weed out the policies that can potentially be 'disabled' and eventually deleted.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A7

 

Regards,

  • 6028 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!