11-30-2012 02:49 PM
On a PAN with no BrightCloud license, you can still use the URL filtering "Block" and "Allow" lists. Right now I use that feature to have a "log-all" URL filtering policy where I have "*" in the block list and an action of "alert." But now I have one (or it could be a short list) of URLs that I want to really block, i.e. an action of "block." However, if I change my block list to block that one URL with a "block" action, I lose all of my logging of other URLs.
Is there a way to block my URL while still logging everything else that I'm not seeing? Kind of seems like something that should be easy (block some URLs while still retaining the ability to alert others), but I don't see how I can do it reliably.
11-30-2012 05:14 PM
In the absence of a URL filtering license, you should also be able to create a custom category. So if you really need to, create a custom category with the URL you'd like to block, and then continue using the block list to alert on the rest.
11-30-2012 03:58 PM
You can try to create an object using an fqdn and try to apply in in a policy, but it looks like you may need to invest in url filtering.
11-30-2012 05:14 PM
In the absence of a URL filtering license, you should also be able to create a custom category. So if you really need to, create a custom category with the URL you'd like to block, and then continue using the block list to alert on the rest.
12-03-2012 10:18 AM
Thanks. Wasn't sure if custom URLs worked.
So what I did was create a custom URL category for the sites I want to block:
# show profiles custom-url-category
custom-url-category {
wpad {
list [ wpad.am.example.com wpad.example.com];
}
}
Then I create a policy rule that uses that URL category,
# show rulebase security rules "Block WPAD"
"Block WPAD" {
source any;
destination any;
service application-default;
application web-browsing;
action allow;
source-user any;
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled no;
log-end yes;
from dc;
to internal;
log-setting Panorama-ALL;
hip-profiles any;
log-start no;
category wpad;
}
Don't be mislead by the name. The action us currently "allow" while I make sure the rule does not catch traffic inadvertently. And I am a little puzzled by the results. If I do hit a URL that matches the URL category, I get the expected entry in my logs. However, I see a lot of logs,
Time | App | From | Src Port Source |
| Rule | Action | To | Dst Port Destination |
| Src User | Dst User |
===============================================================================
| 2012/12/03 10:13:41 incomplete | dc | 63803 | 172.31.152.165 | |
| Block WPAD | allow | internal | 80 | 192.168.208.131 |
| 2012/12/03 10:13:37 incomplete | dc | 50620 | 10.10.10.77 | |
| Block WPAD | allow | internal | 80 | 192.168.228.45 |
| 2012/12/03 10:13:36 incomplete | dc | 63802 | 172.31.152.165 | |
| Block WPAD | allow | internal | 80 | 192.168.208.131 |
Even though they are "incomplete," I believe the connections are in fact working. Not sure what these logs mean. I believe they are successful HTTP connections, but the URL does not match. I would expect not to see any log entry at all if that were the case. Is this expected behavior?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
