URL Filter - Block one and log the rest
cancel
Showing results for 
Search instead for 
Did you mean: 

URL Filter - Block one and log the rest

L2 Linker

On a PAN with no BrightCloud license, you can still use the URL filtering "Block" and "Allow" lists. Right now I use that feature to have a "log-all" URL filtering policy where I have "*" in the block list and an action of "alert." But now I have one (or it could be a short list) of URLs that I want to really block, i.e. an action of "block." However, if I change my block list to block that one URL with a "block" action, I lose all of my logging of other URLs.

Is there a way to block my URL while still logging everything else that I'm not seeing? Kind of seems like something that should be easy (block some URLs while still retaining the ability to alert others), but I don't see how I can do it reliably.

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

In the absence of a URL filtering license, you should also be able to create a custom category.  So if you really need to, create a custom category with the URL you'd like to block, and then continue using the block list to alert on the rest.

View solution in original post

3 REPLIES 3

L3 Networker

You can try to create an object using an fqdn and try to apply in in a policy, but it looks like you may need to invest in url filtering.

L5 Sessionator

In the absence of a URL filtering license, you should also be able to create a custom category.  So if you really need to, create a custom category with the URL you'd like to block, and then continue using the block list to alert on the rest.

View solution in original post

L2 Linker

Thanks. Wasn't sure if custom URLs worked.

So what I did was create a custom URL category for the sites I want to block:

# show profiles custom-url-category

custom-url-category {

  wpad {

    list [ wpad.am.example.com wpad.example.com];

  }

}

Then I create a policy rule that uses that URL category,

# show rulebase security rules "Block WPAD"

"Block WPAD" {

  source any;

  destination any;

  service application-default;

  application web-browsing;

  action allow;

  source-user any;

  option {

    disable-server-response-inspection no;

  }

  negate-source no;

  negate-destination no;

  disabled no;

  log-end yes;

  from dc;

  to internal;

  log-setting Panorama-ALL;

  hip-profiles any;

  log-start no;

  category wpad;

}

Don't be mislead by the name. The action us currently "allow" while I make sure the rule does not catch traffic inadvertently. And I am a little puzzled by the results. If I do hit a URL that matches the URL category, I get the expected entry in my logs. However, I see a lot of logs,

Time           

App         From        Src Port   Source
Rule            Action      To          Dst Port   Destination
                Src User    Dst User

===============================================================================

2012/12/03 10:13:41 incomplete  dc   63803 172.31.152.165
Block WPAD      allow       internal    80    192.168.208.131
                              
2012/12/03 10:13:37 incomplete  dc   50620 10.10.10.77
Block WPAD      allow       internal    80    192.168.228.45
                              
2012/12/03 10:13:36 incomplete  dc   63802 172.31.152.165
Block WPAD      allow       internal    80    192.168.208.131

Even though they are "incomplete," I believe the connections are in fact working. Not sure what these logs mean. I believe they are successful HTTP connections, but the URL does not match. I would expect not to see any log entry at all if that were the case. Is this expected behavior?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!