Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-29-2019 07:26 AM
Hello all,
We are preparing a firewall in which the first security rule has to be :
Source and Destination: ANY
From TRUST Zone to INTERNET Zone.
Application and Service: Any
And then there is a URL Filtering profile attached to the rule.
So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???
BR,
RJ
01-30-2019 04:38 PM
Hi @rjdahav163
It is how @Brandon_Wertz already wrote. Such a policy will allow everything and not only web-browsing connections where URL filtering can be applied.
Th firewall will process the traffic until an application is identified and at that point the firewall already checks if a security profile (including URL filtering profile) is specified. If yes, the firewall prepares the content processor for this session. Then - as you have specified a security profile - the content processor will do a protocol decoding/parsing and content matching but as URL filtering is only applicable to http and TLS sessions everything else will be simply allowed as there is nothing to apply the security profile action.
The full packet processing you can see here: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 and a description with a lot more details is here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
So it dependsnon your spcific use case but in general I do not recommend such a policy.
Regsrds,
Remo
01-29-2019 07:35 AM
@rjdahav163 wrote:Hello all,
We are preparing a firewall in which the first security rule has to be :
Source and Destination: ANY
From TRUST Zone to INTERNET Zone.
Application and Service: Any
And then there is a URL Filtering profile attached to the rule.
So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???
BR,
RJ
This will allow ALL traffic out to the Internet over ANY port/protocol AND will also apply URL filtering. (It's going to be an either or. Either condition will be matched where applicable) (I'm 98% certain on this)
If you're wanting to restrict traffic to "web based" traffic you're either going to want to add a "service" or application restriction to your policy.
01-30-2019 01:04 AM
Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?
Thanks
01-30-2019 04:56 AM - edited 01-30-2019 04:57 AM
@rjdahav163 wrote:
Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?
Thanks
No...Since SSH isn't "web-browsing" web-filtering policy will not be applied and SSH (22/tcp) to anything on the Internet will be allowed.
Again, it's my understanding it's an either/or scenario, but I'd confirm this with TAC as I've never built such an open policy and don't know the true implication.
01-30-2019 04:38 PM
Hi @rjdahav163
It is how @Brandon_Wertz already wrote. Such a policy will allow everything and not only web-browsing connections where URL filtering can be applied.
Th firewall will process the traffic until an application is identified and at that point the firewall already checks if a security profile (including URL filtering profile) is specified. If yes, the firewall prepares the content processor for this session. Then - as you have specified a security profile - the content processor will do a protocol decoding/parsing and content matching but as URL filtering is only applicable to http and TLS sessions everything else will be simply allowed as there is nothing to apply the security profile action.
The full packet processing you can see here: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 and a description with a lot more details is here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
So it dependsnon your spcific use case but in general I do not recommend such a policy.
Regsrds,
Remo
01-31-2019 07:25 PM - edited 01-31-2019 07:27 PM
@Brandon_Wertz--When you say either/or Can you clarify? Do you mean ---Either the "src ip/dst ip and application" OR the src ip/dst ip/application AND url category" (if it's web based application)
02-01-2019 11:29 AM - edited 02-04-2019 05:50 AM
@Sec101 wrote:@Brandon_Wertz--When you say either/or Can you clarify? Do you mean ---Either the "src ip/dst ip and application" OR the src ip/dst ip/application AND url category" (if it's web based application)
Either / Or -- meaning the policy will allow web content filtering (WCF) OR non-WCF type traffic depending how the traffic traversing the firewall.
It seems like you were trying to create a WCF rule thinking since you "applied" a URL profile that's all the FW would do, but that's not the case. Since you didn't specify an application type or a UDP/TCP port the firewall will allow pretty much anything via that rule.
02-01-2019 11:51 AM
Brandon- I believe your 100% correct in stating it is either/or.
What is considered WCF traffic? - Application based SSL/Web-browsing, or is it based upon "technology" or port?
02-01-2019 12:43 PM
WCF = Web content filtering --> traffic where URL filtering profiles can be applied
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
