- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-15-2020 02:05 AM
Hi,
I would like to do url white listing. before i do white listing , i would like to monitor all url of users and office application.
after that i would like to allow specific url only. In paloalto monitoring is only show destination ip address and never show the url. I would like to know can i mornitor the user access url and application access url on paloalto firewall ?
eg. if i want to know all services url of onemap.com or map.me ,how to monitor on paloalto ?
09-15-2020 02:57 AM
Hi @crypto
There are several components that you need to take in consideration:
1. If you want to have full visibility over the visited URLs (not only the domain) you will need to have SSL decryption enabled. If not you will only see the visited domain - or more specifically the domain/subdomain listed in the service certificate
2. PAN FW will log URL/domain information only if this traffic match rule that is applying URL filtering profile with action different from allow.
3. Traffic log will show you only logs generated by security policy rule. If you want to see URL logs you need to look at either URL logs or Unified log (in the GUI)
So I would suggest you to create URL filtering profile with action block for all categories that you are sure you want to block, everything else change to alert. Apply this profile to rule that is matching the web traffic from your users or application (it would be better to have separate rules for different users and application). Create decryption rule that is matching the same traffic as the security rule.
This will provide you with the required information and you only need to collect it - you can either check ACC for quick overview or use the reporting capability to provide aggregated report.
09-15-2020 07:48 PM
Hi,
please correct me , SSL decryption is only for visibility only ?
if we want to block htpps traffic url, we don't need to do SSL decryption,correct ?
So can we see block urls in url filtering log as you mention above post without using SSL decryption ?
09-15-2020 11:08 PM
Hi @crypto ,
That is correct, with SSL decryption firewall will have visibility over the full URL, which ensure more accurate categorization.
If no SSL decryption is enabled FW will use certificate subject name or subject alternative name to identify the requested site and use this information for categorization.
One good example that saw somewhere in this forum a while ago is - take blogger.com which is categorized by PAN-DB as "Personal Sites and Blogs". If I create a blog there to discuss weapons, my blog should fall under "Weapons" category, but since your firewall doesn't have SSL decryption enabled it will only inspect the SSL certificate and will now that the user is trying to react blogger, which is save in general. But if you enable SSL decryption firewall will have access to the full URL and will know that not only user is trying to reach blogger.com, but which specific blog it is trying to reach it and apply more granular control.
Same goes for any other sites that is using wildcard certificate for the whole domain, but different subdomains are categorized differently.
To sum up - even if your don't use SSL decryption you will be able to block HTTPS. In general you probably will be fine without decryption, as you explain it correctly it will give you more visibility and you will have granular control over some edge cases URLs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!