URL Filtering - Changes in 3.1.7?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL Filtering - Changes in 3.1.7?

L4 Transporter

I have a PAN that has been running 3.1.6 quite happily.

We have an internal Exchange/OWA server so we have rule in place to allow inbound access to it, and the rule uses a URL filtering profile that allows only the IIS virtual directories needed to access the OWA services.

Yesterday I upgraded to 3.1.7 and noticed this morning that immediately after the upgrade I was seeing URL blocking happening on inbound OWA URLs that had previously worked.

I have a case open with Vadition, but wondered if anyone else had encountered this?

5 REPLIES 5

L3 Networker

Please explain what you are doing in greater detail.

I take it you are not using a custom application for this paricular policy?

I'd suggest you create a custom application with lets say:

http-req-host-header = hostname\.domain\.com

http-req-uri-path = /virtualdir

Then add add the application to your security rule and make sure the application is correctly categorized by adding an application override policy. Wouldn't that work?

In the same way you can have an outbound allow/block whitelist/blacklist on a URL profile, you can do the same on inbound rules.

So we have an Outlook Web Access server with an inbound rule, I use URL filtering to ensure people can only get to https://server.fqdn/exchange and not, say, https://server.fqdn/system32/someexploit.etc

We're obviously doing reverse SSL decryption on the inbound traffic.

Everything worked perfectly until we upgraded from 3.1.6 to 3.1.7 at which point all of a sudden URLs were being blocked that weren't previously.

Adding server.fqdn to the whitelist (no sub-directories) has worked around it but we're now coming up to 2 weeks since I opened the case - it's fair to say I'm not comfortable without the URL filtering protection on the inbound traffic.

Ok I understand what you are saying. Thats a reason to open a case right there.

Don't remember reading about any changes in the release notes for 3.1.7 regarding the URL-filter.

I still think you should try defining this as an application and solving it that way. Any drawbacks/reasons you don't want to use a custom app?

I mean, if you have the complete fqdn and uri in the application you accomplish the same thing.

One reason would be I don't know how to Smiley Happy

That reason aside, the URL list is quite long as you need to add each virtual directory - presumably even with an app you still need to do this so would I gain that much?

It's easy, You will be a kung-fu champ in custom apps in no time Smiley Happy

Take a look at this example:

https://live.paloaltonetworks.com/docs/DOC-1492

As you see you can put in "OR" conditions, (in your case each virtual dir on that particular server)

Good luck!

/Oskar

  • 2640 Views
  • 5 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!