URL set to allow Ransomware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

URL set to allow Ransomware

L3 Networker

Palo Team,

 

Can anyone please explain why Palo would release a Ransomware URL Category and put the default to allow???? 

 

Secondly, its going to be a pain logging into every single client of ours that uses Palo and changing Ransomware URL Category to block. Is there a way to automate it? What would the CLI command be? Any Ideas?

2 accepted solutions

Accepted Solutions

Hi @Schneur_Feldman ,

Because Palo Alto is not responsible for your firewall configuration and doesn't have visibility how, why and where you are using your URL filtering profiles. They give you the tools, it is your decision how to use them.

 

The CLI command would be:

- Locally managed firewall

set profiles url-filtering <profile-name> block ransomware

- Panorama managed firewall

set device-group <device-group-name> profiles url-filtering <profile-name> block ransomware

 

There are couple of ways to automate such change and depending on your environment:

- Export firewall running config; search and edit the XML defining any URL filtering profile; import, load and commit the edited config

- Similar as above but for Panorama config, modifing any URL filtering in all available device-groups

From your comment it seems you support multiple different clients, which probably require different ways to connect and different credetials. So you probably better to consider using the XML API. You may want to check python framework https://github.com/PaloAltoNetworks/pan-os-python which could save you some time (connecting and authenticating to the device).

 

View solution in original post

Cyber Elite
Cyber Elite

@Schneur_Feldman 

Just to expand on why PAN wouldn't just modify your profiles to block for this category, they can't identify what you're using that profile for. If I have devices segmented off into a malware research zone and utilize a subset of my machines for those purposes, I absolutely wouldn't want PAN to modify my profiles to block a newly introduced category for a subset of machines where I would actually want to allow the traffic. 

 

If you're managing multiple clients I'd really recommend looking at the benefits of utilizing Panorama to manage all of them, or better yet managing them directly through the XML configuration file and templating some of the configuration yourself if you can't get approved to purchase Panorama. The API here can also be a major help, but if you're not comfortable with it it's not going to be a quick fix since you'll need to be parsing results and using that information in additional changes. 

View solution in original post

4 REPLIES 4

Hi @Schneur_Feldman ,

Because Palo Alto is not responsible for your firewall configuration and doesn't have visibility how, why and where you are using your URL filtering profiles. They give you the tools, it is your decision how to use them.

 

The CLI command would be:

- Locally managed firewall

set profiles url-filtering <profile-name> block ransomware

- Panorama managed firewall

set device-group <device-group-name> profiles url-filtering <profile-name> block ransomware

 

There are couple of ways to automate such change and depending on your environment:

- Export firewall running config; search and edit the XML defining any URL filtering profile; import, load and commit the edited config

- Similar as above but for Panorama config, modifing any URL filtering in all available device-groups

From your comment it seems you support multiple different clients, which probably require different ways to connect and different credetials. So you probably better to consider using the XML API. You may want to check python framework https://github.com/PaloAltoNetworks/pan-os-python which could save you some time (connecting and authenticating to the device).

 

Cyber Elite
Cyber Elite

@Schneur_Feldman 

Just to expand on why PAN wouldn't just modify your profiles to block for this category, they can't identify what you're using that profile for. If I have devices segmented off into a malware research zone and utilize a subset of my machines for those purposes, I absolutely wouldn't want PAN to modify my profiles to block a newly introduced category for a subset of machines where I would actually want to allow the traffic. 

 

If you're managing multiple clients I'd really recommend looking at the benefits of utilizing Panorama to manage all of them, or better yet managing them directly through the XML configuration file and templating some of the configuration yourself if you can't get approved to purchase Panorama. The API here can also be a major help, but if you're not comfortable with it it's not going to be a quick fix since you'll need to be parsing results and using that information in additional changes. 

L3 Networker

Sweet! Thanks team!

L6 Presenter

Also of note. The new "ransomware" category is blocked in the "default" URL Filtering category. But as @aleksandar.astardzhiev and @BPry say, it is not blocked by default in custom URL Filtering categories because PA doesn't know what you are using custom categories for.

  • 2 accepted solutions
  • 2795 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!