URL Filtering with Any Any

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Filtering with Any Any

L3 Networker

Hello all,

 

We are preparing a firewall in which the first security rule has to be :

Source and Destination: ANY

From TRUST Zone to INTERNET Zone. 

Application and Service: Any

And then there is a URL Filtering profile attached to the rule.

 

So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???

 

BR,

RJ

1 accepted solution

Accepted Solutions

Hi @rjdahav163

 

It is how @Brandon_Wertz already wrote. Such a policy will allow everything and not only web-browsing connections where URL filtering can be applied.

Th firewall will process the traffic until an application is identified and at that point the firewall already checks if a security profile (including URL filtering profile) is specified. If yes, the firewall prepares the content processor for this session. Then - as you have specified a security profile - the content processor will do a protocol decoding/parsing and content matching but as URL filtering is only applicable to http and TLS sessions everything else will be simply allowed as there is nothing to apply the security profile action.

The full packet processing you can see here: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 and a description with a lot more details is here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

So it dependsnon your spcific use case but in general I do not recommend such a policy.

 

Regsrds,

Remo 

View solution in original post

8 REPLIES 8

L6 Presenter

@rjdahav163 wrote:

Hello all,

 

We are preparing a firewall in which the first security rule has to be :

Source and Destination: ANY

From TRUST Zone to INTERNET Zone. 

Application and Service: Any

And then there is a URL Filtering profile attached to the rule.

 

So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???

 

BR,

RJ


This will allow ALL traffic out to the Internet over ANY port/protocol AND will also apply URL filtering.  (It's going to be an either or.  Either condition will be matched where applicable)  (I'm 98% certain on this)

 

If you're wanting to restrict traffic to "web based" traffic you're either going to want to add a "service" or application restriction to your policy.  

@Brandon_Wertz @BPry

 

Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?

 

Thanks


@rjdahav163 wrote:

@Brandon_Wertz @BPry

 

Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?

 

Thanks


 

No...Since SSH isn't "web-browsing" web-filtering policy will not be applied and SSH (22/tcp) to anything on the Internet will be allowed. 

 

Again, it's my understanding it's an either/or scenario, but I'd confirm this with TAC as I've never built such an open policy and don't know the true implication.

Hi @rjdahav163

 

It is how @Brandon_Wertz already wrote. Such a policy will allow everything and not only web-browsing connections where URL filtering can be applied.

Th firewall will process the traffic until an application is identified and at that point the firewall already checks if a security profile (including URL filtering profile) is specified. If yes, the firewall prepares the content processor for this session. Then - as you have specified a security profile - the content processor will do a protocol decoding/parsing and content matching but as URL filtering is only applicable to http and TLS sessions everything else will be simply allowed as there is nothing to apply the security profile action.

The full packet processing you can see here: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 and a description with a lot more details is here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

So it dependsnon your spcific use case but in general I do not recommend such a policy.

 

Regsrds,

Remo 

@Brandon_Wertz--When you say either/or  Can you clarify?   Do you mean ---Either the "src ip/dst ip and application"   OR  the src ip/dst ip/application AND url category"  (if it's web based application)


@Sec101 wrote:

@Brandon_Wertz--When you say either/or  Can you clarify?   Do you mean ---Either the "src ip/dst ip and application"   OR  the src ip/dst ip/application AND url category"  (if it's web based application)


 

 

Either / Or -- meaning the policy will allow web content filtering (WCF) OR non-WCF type traffic depending how the traffic traversing the firewall.

 

It seems like you were trying to create a WCF rule thinking since you "applied" a URL profile that's all the FW would do, but that's not the case.  Since you didn't specify an application type or a UDP/TCP port the firewall will allow pretty much anything via that rule.

Brandon- I believe your 100% correct in stating it is either/or.

What is considered WCF traffic?  - Application based SSL/Web-browsing, or is it based upon "technology" or port? 

WCF = Web content filtering --> traffic where URL filtering profiles can be applied

  • 1 accepted solution
  • 5775 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!