I have one customer query related to security policy with URL category.
When the SNI/HTTP header is missing and the URL Category is classified as ‘any’, the processing of that session should be moved to the next security policy that matches the URL category of ANY, that also matches the source, destination and port. If there are no custom policies configured that match, it should move to the “interzone-default” rule.
Right now, when looking at the logs, I see IPs of a destination that do not match the URLs in the URL Category, but due to the SNI/HTTP header not being present, it is showing the initial matched rule and shows that it’s allowed. I want to be able to look at the logs and see that it hit an actual rule that had a URL category as ‘any’ that also matches the source, destination, port which is being dropped or denied.
As of now we will process the packet based upon six tuples, we will keep this URL category as "any" till we see SNI packet, http get request packet. Customer has to answerable to his management due to wrong logging.
Kindly check this and share your thoughts!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!