03-06-2017 12:21 AM
We want to block youtube streaming via Palo Alto. We create the Custom URL Category "testing" and enter the site "*.youtube.com" (with quotation). We select the testing category in Decrpytion profile and Action "Decrpyt" and Type SSL Forwarding. We create the security policy src:any, destination:any and deny youtube-base. But still we can we view streaming on chrome and firefox. We dont have URL Filtering license.
03-06-2017 02:41 AM
you don't need to use quotes in custom URL categories, simply set
*.youtube.com
*.youtube.com/*
03-06-2017 02:45 AM - edited 03-06-2017 02:48 AM
hold on
you mention that in your security policy you set youtube-base but you do not mention you added a url-filtering profile
can you confirm you created a url filtering security profile and added it to your security policy ?
does your policy look like this?
it might be better if you split up your policy to have a block rule for youtube-base and then a web-browsing policy that blocks your custom url profile, in case
03-06-2017 05:30 AM
Reaper, if they don't have a URL filtering license will applying a URL profile even work?
03-06-2017 05:37 AM
Hi,
It will on custom URL categories.
Cheers,
-Kiwi
03-06-2017 07:55 AM
if I'm not mistaken, if you already have a URL database (say, had a subscription but let it lapse), you can still process rules against it, you just won't get updates.
not applicable here, but just pointing out I believe the only thing the URL license does for you is updates.
03-06-2017 08:30 AM
Good point! Also looking for the confirmation on this :-0
03-06-2017 12:50 PM
It will work, but you will get a warning for each rule using the the URL profile every time you commit. It gets annoying pretty fast.
Benjamin
03-06-2017 02:36 PM
what's a warning? I hardly ever read failure messages.
03-07-2017 12:16 AM
@bradk14 wrote:
if I'm not mistaken, if you already have a URL database (say, had a subscription but let it lapse), you can still process rules against it, you just won't get updates.
not applicable here, but just pointing out I believe the only thing the URL license does for you is updates.
depends slightly on which database you're using:
brightcloud has a downloaded database with the top 2mil most popular websites. once the license expires that list will remain usable but there will be no updates, so miscategorization because a site changes its behavior will start stacking up. once the license is expired dynamic cloud lookups will also stop working
PAN-DB builds a cache from cloud lookups. once the license expires cloud lookups will no longer work and your cache will quickly deprecate
for custom URL categories you don't need a license
03-07-2017 05:53 AM - edited 03-07-2017 05:53 AM
You missed the /s right...right!?
I've had co-workers in the past that won't read error messages and will make me jump on the system to figure out why it's 'just not working', even when the error message is telling them exactly why. Makes my eye twitch reading something like that 😉
03-07-2017 06:24 AM
@BPry I was trying real hard to ignore that one comment 😛 *twitch*
03-07-2017 06:37 AM - edited 03-07-2017 06:38 AM
@reaperthanks for clarification on the databas
@BPryhalf truth on my part. I know where you're coming from, that's called job security for me. nobody reads error messages or how to use google if they do. but truth is that in my environment, there's never a commit without warnings (of course if you don't address them, they won't go away), so that I have warning fatigue. On the rare occassion there's a failure, it usually takes me 2 or 3 commits to even notice. but when I do notice them, I do read them. promise.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
