URL Filtering issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL Filtering issue

L2 Linker

Hi All,

 

So i'm trying to whitelist a site that was tagged as 'parked' by PAN-OS. i added this to a custom URL category, and configured the URL Filtering profile to allow/allow.

 

The site is still getting blocked. To get around this, i filed a request to reclassify the site(to be fair, the update was very quick).

 

This concerns me, as a a lot of our students put up their websites as part of their schoolwork. Should their sites be mislabeled as 'parked'...it doesn't seem practical to file a request for each site, as there are usually 4-5 sections with 40+ students each.

 

The URL Filtering logs indicate the URL has multiple category matches -- <custom url category>, parked. Somehow the 'parked' categorization wins out and the action is 'blocked'.

 

Aren't custom URL categories supposed to win out in this situation?

 

i've read https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC,  but given what i've seen in the logs, this seems to apply to URLs in different custom categories.

 

tia

3 REPLIES 3

Community Team Member

Hi @itassetbenilde ,

 

How did you configure the custom category ?

Sounds very similar to what what happening here where the custom url category was configured incorrectly:

 

https://live.paloaltonetworks.com/t5/next-generation-firewall/parked-domain-blocked-when-traffic-not...

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L6 Presenter

@itassetbenilde wrote:

Hi All,

 

So i'm trying to whitelist a site that was tagged as 'parked' by PAN-OS. i added this to a custom URL category, and configured the URL Filtering profile to allow/allow.

 

The site is still getting blocked. To get around this, i filed a request to reclassify the site(to be fair, the update was very quick).

 

This concerns me, as a a lot of our students put up their websites as part of their schoolwork. Should their sites be mislabeled as 'parked'...it doesn't seem practical to file a request for each site, as there are usually 4-5 sections with 40+ students each.

 

The URL Filtering logs indicate the URL has multiple category matches -- <custom url category>, parked. Somehow the 'parked' categorization wins out and the action is 'blocked'.

 

Aren't custom URL categories supposed to win out in this situation?

 

i've read https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC,  but given what i've seen in the logs, this seems to apply to URLs in different custom categories.

 

tia


@itassetbenilde  -- I think you're running into the "Category List" function.  It's my understanding that "action" for access to websites via Category Lists are the "most restrictive."  So if any of your URL profile actions is anything other than allow/alert that action based on the list categories will be taken.  In this instance if "Parked" is set to block then based on the "Category List" match criteria the action for access would be "blocked" based on settings.  (Regardless of your custom URL profile, which you're using trying to override.)

 

 

@kiwi here is an example of what I'm referring to from my FW:

Brandon_Wertz_0-1725464504017.png

 

Cyber Elite
Cyber Elite

@itassetbenilde,

I'd recommend setting the URL category, especially something that you created yourself, to at least 'alert' so that it's logged. If you're setting 'allow' you won't see logs when traffic properly matches the custom category.

 

How are you trying to allow the custom category in your security rulebase? When it comes to bypassing URL categorization, I highly recommend having a dedicated security entry that triggers off of the custom category and has the applicable individual profiles allocated.

IE: If I have a "Allow-Blocked-Domains" category as an example, I'll have a security entry that triggers off of the category before my more general traffic rules. Then assign profiles as you see fit; I generally recommend having a url-filtering profile assigned to this entry that simply has all categories set to alert for this rule. This process has proven to be very effective in allowing access and not having to worry about other competing profiles as long as your custom category is matching properly.

  • 690 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!