url filtering with Alert category

Reply
Highlighted
L2 Linker

url filtering with Alert category

Hi, 

 

I have configured the URLs to allow through the firewall with an alert category. 

 

The firewall is allowing the URL but user get the "warning: Potential Security Risk Ahead" page with Go Back (recommended) and Advanced option.

 

Is there any technique to allow user directly go onto the URL page instead go to advanced and continue to the website?

 

I have also sent a reclassification request to Palo Alto. It takes 48 hours based on the Palo documentation. I think this is not an issue here. Might be user need to change settings on to their web browser!!image006.jpg

 

 

 

Thanks for your support. 

 

Regards,

CP

Highlighted
L6 Presenter

@ChiragP  Check if website have valid certificate. Mostly such errors are due to expired or invalid certificate on websites. Also you can try by adding website in trusted sites to avoid such errors.

 

hope it helps!

 

Mayur



Mayur
Highlighted
L4 Transporter

Palo Alto classifies this URL as High Risk.  It could be that Firefox also does some checking of a list of its own, and has determined that it could be an unsafe site.

https://urlfiltering.paloaltonetworks.com/query/

  • Category: High Risk
  • Description: Sites that were previously confirmed to be malicious but have displayed benign activity for at least 30 days. Bulletproof ISP-hosted sites and sites with an IP address from an ASN that is known to allow malicious content. Sites that are associated with confirmed malicious activity (for example, they share the same domain). Unknown sites are considered high risk until PAN-DB completes a site analysis and categorization of the site.
Highlighted
Cyber Elite

Hello,

Are you performing SSL decryption? If yes it could be that the client does not trust the certificate that the PAN is using for the decryption.

 

The alert selection means that the PAN will log the traffic. That is the only difference between Allow and Alert.

 

Just a thought

Highlighted
L2 Linker

Hi OwenFuller,

 

So if Palo classifies the URL as HIgh Risk that could be also blocked, is that right? 

 

I think this could be a browser own check as Mayuer said, however, I would like to know what happens until PAN-DB completes a site analysis and categorization of the site. Is this blocking even though we put the URL under the alert category?

 

I will check today the browser setting and allow URL as trust. 

 

Thanks,

 

Highlighted
L4 Transporter

Well, it could be blocked of you're blocking the High Risk URL category.  However, the point I was trying to make is that if Palo has classified that site as High Risk, it's possible someone else has also classified it as a risky site.  I'm not sure whether Firefox checks any kind of list for site reputations or anything like that (I haven't used Firefox regularly in over a decade), but if it does, it could be deciding to warn you for that reason.  The warning doesn't look like a standard Palo Alto block, but rather a block in Firefox.  You really should look at your firewall logs to confirm whether that site is being blocked or allowed.  Have you checked there for a log entry?

 

It could be a certificate issue, as one of the other comments suggested.  If you're doing SSL decryption, I don't think Firefox honors the Windows trusted CA store.  I think you have to import the cert directly into Firefox itself.  Do you experience the same problem with other browsers?

Highlighted
L4 Transporter

Also, check the URL filtering policy that is attached to your security policy.  What are the actions for the financial-services and high-risk categories?

Highlighted
L2 Linker

Hi All,

 

There was a problem with certificate. They have not changed the certificate when moving the site from staging environment to production. 

 

The action for financial services is allowed.

 

So I can say that even if the Palo classifies the URL as a high risk but allow explicitly it works. 

 

Thanks for your time. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!