Why does URL Filtering Profile with a custom URL Category assigned require the same custom URL category assigned in a security rule to work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Why does URL Filtering Profile with a custom URL Category assigned require the same custom URL category assigned in a security rule to work?

L2 Linker

 

Hi all,

 

Pardon me for the lengthy title.

 

Here is the layout of what I am working with:

😅

  • I am currently running PAN-3020 on PAN-OS 9.0.13
  • I do not have a URL filtering licence 
  • I do not yet do decryption (long story).
  • Security rules are any/any for testing this.  

 

I have been tinkering with custom URL categories and filtering profiles. I have got what I intended to work.

 

However, I am confused by the behaviour of the firewall and further lost amongst content all over the internet, especially when it comes to URL filtering without a licence. Was hoping someone could help clarify it out for me?

 

===========
Scenario 1

Security policy rule A:

  • Rule with an action of allow
  • URL filtering profile assigned which also allows a good custom URL category

Security policy rule B:

  • Rule with an action of allow
  • URL filtering profile assigned which blocks a bad custom URL category

 

No traffic will match security policy rules A or B. The only time traffic match either of these two rules is when I specify a URL category under the Service/URL Category tab for security policy rule A.

 

Scenario 2

Security policy rule A:

  • Rule with an action of allow
  • Custom URL category assigned to "services/URL Category" tab (found within the security policy rule),
  • URL filtering profile assigned that allows a good custom URL cateogry

Security policy rule B =

  • Rule with an action of allow
  • Assigned URL filtering profile that blocks a bad custom URL category

URL traffic not matching any URLs specified rule A is now blocked.

===========

 

What I can't get my head around is why isn't it enough to simply use a security rule and a relative filtering profile that references the good custom URL category?
Why when I don't specify the URL category, no traffic matches even though the filtering profile is there?


Apologies for my ignorance. 

 

Martins

1 REPLY 1

Cyber Elite
Cyber Elite

Url categories in the services tab behave somewhat like an FQDN object, while urls added in the url filtering profile are only applied at layer7

 

the former causing an "traffic log" (l4) allow or drop, with the latter causing a response page with a traffic allow for both drop and allow

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3018 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!