01-27-2011 12:12 PM
I have a PAN that has been running 3.1.6 quite happily.
We have an internal Exchange/OWA server so we have rule in place to allow inbound access to it, and the rule uses a URL filtering profile that allows only the IIS virtual directories needed to access the OWA services.
Yesterday I upgraded to 3.1.7 and noticed this morning that immediately after the upgrade I was seeing URL blocking happening on inbound OWA URLs that had previously worked.
I have a case open with Vadition, but wondered if anyone else had encountered this?
02-09-2011 12:00 PM
Please explain what you are doing in greater detail.
I take it you are not using a custom application for this paricular policy?
I'd suggest you create a custom application with lets say:
http-req-host-header = hostname\.domain\.com
http-req-uri-path = /virtualdir
Then add add the application to your security rule and make sure the application is correctly categorized by adding an application override policy. Wouldn't that work?
02-09-2011 12:06 PM
In the same way you can have an outbound allow/block whitelist/blacklist on a URL profile, you can do the same on inbound rules.
So we have an Outlook Web Access server with an inbound rule, I use URL filtering to ensure people can only get to https://server.fqdn/exchange and not, say, https://server.fqdn/system32/someexploit.etc
We're obviously doing reverse SSL decryption on the inbound traffic.
Everything worked perfectly until we upgraded from 3.1.6 to 3.1.7 at which point all of a sudden URLs were being blocked that weren't previously.
Adding server.fqdn to the whitelist (no sub-directories) has worked around it but we're now coming up to 2 weeks since I opened the case - it's fair to say I'm not comfortable without the URL filtering protection on the inbound traffic.
02-09-2011 12:19 PM
Ok I understand what you are saying. Thats a reason to open a case right there.
Don't remember reading about any changes in the release notes for 3.1.7 regarding the URL-filter.
I still think you should try defining this as an application and solving it that way. Any drawbacks/reasons you don't want to use a custom app?
I mean, if you have the complete fqdn and uri in the application you accomplish the same thing.
02-09-2011 12:23 PM
One reason would be I don't know how to 
That reason aside, the URL list is quite long as you need to add each virtual directory - presumably even with an app you still need to do this so would I gain that much?
02-09-2011 12:28 PM
It's easy, You will be a kung-fu champ in custom apps in no time
Take a look at this example:
https://live.paloaltonetworks.com/docs/DOC-1492
As you see you can put in "OR" conditions, (in your case each virtual dir on that particular server)
Good luck!
/Oskar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
