This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

URL Filter doesn't work in Deny rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

URL Filter doesn't work in Deny rule

Go to solution
SeanBui
L1 Bithead

‎05-22-2017 03:16 AM - edited ‎05-22-2017 03:43 AM

I have 2 rules for IT group: IT_Deny and IT_Allow as in the picture below. I'm using a same profile group for both rules, in profile group I have a URL_filter that block some websites like bbc.com, cnn.com

But when I access bbc/cnn, I get blocked by URL filter in profile group in IT_Allow rule. I don't understand why I don't get blocked by IT_Deny rule, IT_Deny rule still let me access bbc/cnn??

 

Capture.PNG

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to SeanBui

‎05-22-2017 07:15 PM - edited ‎05-22-2017 07:25 PM

It was mentioned that SYN matches second rule and for that reason block rule does not apply. This is not correct.

Every application shift invokes policy check. If application changes to web-browsing then ruleset is checked again.

 

Your issue is that Security Profiles are checked only if Security Policy permits traffic.

If policy denies traffic then Security Profiles are not checked.

Good example is that there is no reason to look for viruses in traffic that is blocked anyway.

 

If you want to block URL categories then you:

- Block it in URL profile and set policy action Allow.

- Add URL category directly into policy (under Service/URL Category tab) and set rule action to Deny

 

@SeanBui I edited reply a bit.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

10 REPLIES 10

Go to solution
Hithead
L4 Transporter

‎05-22-2017 04:25 AM

can you please upload a screenshot of the traffic and url logs? (deny and allow case)

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter

‎05-22-2017 05:42 AM - edited ‎05-22-2017 05:42 AM

Most likely you are not matching all security policy criteria (s) (e.g destination ip). Not sure if security profiles even processed for "deny" action in the security policies. 

0 Likes Likes

Go to solution
VinceM
L5 Sessionator

‎05-22-2017 09:00 AM

Hi,

 

It can be explained because your traffic doesn't match your first rule. On ly diff is your app group ITT, which app are embeded ?

 

On which criteria do you want to allow or block access to these URL ?? AD member ? list of IP ?

 

V.

 

0 Likes Likes

Go to solution
gwesson
L7 Applicator
In response to VinceM

‎05-22-2017 11:09 AM

@VinceM and @TranceforLife are both correct. 

 

When the first packet arrives, it looks to see if it matches your first rule (IT_Deny). If you're attempting to block sites like bbc.com and cnn.com, the first packet will just be a SYN packet on port 443. That SYN packet is not enough to identify the app as SSL for the app-id engine (even though eventually it will be identified as such). Since that first packet doesn't get denied, it won't match that rule until an app-id shift.

 

When your first TLS packet arrives at the firewall (Client Hello, likely containing the server name) can now identify that it is cnn/bbc, and deny it based on your URL filtering profile. The traffic was being processed on rule 2 (IT_Allow) at the time that information was available, so that's what it matches in your logs.

 

If you're set on having a deny policy for this, add the category to the IT_Deny policy. But it won't give the user a nice category deny page, instead it'll just drop the packet. It's generally much better to allow the traffic and use the URL filtering profile to handle what is denied and allowed.

0 Likes Likes

Go to solution
SeanBui
L1 Bithead

‎05-22-2017 06:40 PM - edited ‎05-22-2017 06:59 PM

First of all, Thank you all for your reply. I provide some more information about my rules

 

t1.PNG

In IT_Deny rule I also block some applications. IT_Deny rule works good blocking these apps

 

t2.PNG

This is my Profile group used for both Deny and Allow rule, using URL_filtering profile called ITT_URL

 

t3.PNG

ITT_URL has a blocked category called Block_URL that contains BBC and CNN

 

t4.PNG

And this is my traffic log and URL_filter log when I accessed bbc and cnn. As you can see, these websites are processed by IT_Allow, they passed IT_Deny rule

 

t6.PNG

 

t7.PNG

 

t8.png

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to SeanBui

‎05-22-2017 07:15 PM - edited ‎05-22-2017 07:25 PM

It was mentioned that SYN matches second rule and for that reason block rule does not apply. This is not correct.

Every application shift invokes policy check. If application changes to web-browsing then ruleset is checked again.

 

Your issue is that Security Profiles are checked only if Security Policy permits traffic.

If policy denies traffic then Security Profiles are not checked.

Good example is that there is no reason to look for viruses in traffic that is blocked anyway.

 

If you want to block URL categories then you:

- Block it in URL profile and set policy action Allow.

- Add URL category directly into policy (under Service/URL Category tab) and set rule action to Deny

 

@SeanBui I edited reply a bit.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
SeanBui
L1 Bithead
In response to Raido_Rattameister

‎05-22-2017 07:48 PM

Thank you very much, my mind is clear now ❤️

Go to solution
TranceforLife
L6 Presenter
In response to Raido_Rattameister

‎05-23-2017 01:26 AM - edited ‎05-23-2017 01:27 AM

This is exactly what I thought. In any case, URL category is another matching criteria where security profiles an additional future (s) and only actual when the policy action is "allow".

0 Likes Likes

Go to solution
ChrisCapra
L1 Bithead
In response to TranceforLife

‎01-31-2020 09:19 AM

Had the same issue, figured out had to block it in the URL Profile and set Rule/Policy to allow. 

0 Likes Likes

Go to solution
OwenFuller
L4 Transporter

‎01-31-2020 11:54 AM

I realize this has been solved, but this KB article might be useful to others having a similar problem understanding the packet flow sequence in PANOS:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

As stated before, if your rule action is Deny, the additional security policy for URL filtering won't make a difference.  For our default URL blocking rules, we actually have an Allow action with the URL policy doing all the denying.  We do this because it's the only way to get URL filtering logs, and give end users those nice block messages with an explanation and directions for opening a ticket.

0 Likes Likes
  • 1 accepted solution
  • 7791 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks