why custom url category action should be none as best practice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

why custom url category action should be none as best practice

Cyber Elite
Cyber Elite

i read that for best practice if we make custom url category its action should be none for security reasons

need to understand why?

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

OK, I listened to it and I see what they are doing. Lets say you make a custom catagory and the URL is xyz.com, and you have it set to 'Alert'. Now lets say that site gets compromised and get recatagorized by PAN as malicious. What she was saying is that it could potentially still be allowed because you set the custom catagory as 'Alert', by having it set to none she is saying it would take the default catagorization of the PAN catagory list:

 

none (custom URL category only)—If you have created custom URL categories, set the action to none to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to none gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to none in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.

 

Hope that makes sense.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Not sure where you read that. I always set 'allowed' catagories to 'Alert'. This way they get logged and its easier to determine what is getting allowed/blocked.

 

Regards,

under this link

 

https://live.paloaltonetworks.com/t5/Learning-Happy-Hour-Articles/Nine-Reasons-to-Use-URL-Filtering-...

 

 

listen to 43rd min video

MP

Help the community: Like helpful comments and mark solutions.

OK, I listened to it and I see what they are doing. Lets say you make a custom catagory and the URL is xyz.com, and you have it set to 'Alert'. Now lets say that site gets compromised and get recatagorized by PAN as malicious. What she was saying is that it could potentially still be allowed because you set the custom catagory as 'Alert', by having it set to none she is saying it would take the default catagorization of the PAN catagory list:

 

none (custom URL category only)—If you have created custom URL categories, set the action to none to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to none gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to none in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.

 

Hope that makes sense.

seems this was but tricky

thanks for explaining this to me.

MP

Help the community: Like helpful comments and mark solutions.

L2 Linker

This is good to know, one of our NetAdmins just shared this with me and I was very surprised since I remember in the PAN-EDU course the labs require us setting "alert" as an action under site access to create the firewall logs. Def will watch the video linked to get a deeper grasp. Thank you.

 

Roderick De La Rosa, PCNSA
Information Security Analyst

L2 Linker

Link above is broken for me, for anyone else looking PA has it on their YouTube channel now: Nine Reasons to Use URL Filtering (Episode 2) Learning Happy Hour (youtube.com)

Roderick De La Rosa, PCNSA
Information Security Analyst
  • 1 accepted solution
  • 8174 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!