Adding filter "?v=panosurl" broken access to all websites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Adding filter "?v=panosurl" broken access to all websites

L3 Networker

Custom URL category is configured to block phishing URLs collected from Linux MineMeld server through EDL. For some reason adding filter "?v=panosurl" (https://10.9.0.60/feeds/phishing-url?v=panosurl) to retrieve URLs in PAN-OS supported format (malware.com) is creating issue as all the websites are categorized as phishing and blocked. Using without filter ( https://10.9.0.60/feeds/phishing-url) don't work because URLs are retrieved in format (http://malware.com)

 

Found this live community post for similar issue https://live.paloaltonetworks.com/t5/General-Topics/Adding-v-panosurl-to-MineMeld-EDL-brought-down-o...

 

What is the solution for this ?

21 REPLIES 21

Luigi,

 

 

PANOS release 8.1.4.

 

set device-group ACME  external-list edl-phishing-sites type url recurring hourly
set device-group ACME   external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME   external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url

 

Issue can be replicated by changing the last line:

 

set device-group ACME  external-list edl-phishing-sites type url recurring hourly
set device-group ACME   external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME   external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url?v=panosurl

 

Then most/any url categories will be defined as edl-phishing-sites. I saw google.com, bing.com, yahoo.com being classified as such.

 

Here's the URL filtering profile, which includes the edl:

 

set device-group ACME profiles url-filtering ACME-PAN-URL-Policy credential-enforcement block [ abortion abused-drugs adult alcohol-and-tobacco auctions command-and-control copyright-infringement dynamic-dns extremism gambling games hacking home-and-garden hunting-and-fishing internet-communications-and-telephony malware nudity parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable weapons web-advertisements edl-phishing-sites shortened-urls ]

 

Here's a policy we were using specifically to block matching category:

 

craigomatic@PNRM01# show | match openphish-alert
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert target negate no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert to untrust
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert from [  trust ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert destination any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source-user any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert category edl-phishing-sites
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert application [ ssl web-browsing ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert service application-default
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert hip-profiles any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert action drop
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert log-setting lf-pnrm-siem
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert disabled no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert tag

Let me know if you need more info. I was able to reproduce this on my lab PA-220. I can ship you that config if that would be helpful.

 

Luigi,

 

Just tried in 8.1.5 and was unable to reproduce error in my testing environment.  I will roll out to production cautiously and will update ...

Hi @craigomatic,

thanks, please let me know the outcome of your tests.

Hi @lmori 

 

Were you able to solve this issue? It is definately an issue in minemeld. After adding this parameter, for some reason "*.com" was on the output ...

L7 Applicator

Currently the reason for this issue is a bug of minemeld that handles special entries the wrong way. I wrote the more detailled description here:  https://live.paloaltonetworks.com/t5/General-Topics/Adding-v-panosurl-to-MineMeld-EDL-brought-down-o...

Hi @Remo,

we improved the behavior of v=panosurl in MineMeld in 0.9.62:

- URLs with ports (http(s)://fqdn:port) are now dropped by default. To keep the URL and strip the port you should add the sp=1 parameter on the URL (https://<minemeld>/feeds/<feed>?v=panosurl&sp=1)

- Invalid URLs like *abc.example.com are dropped if di=1 parameter is specified (https://<minemeld>/feeds/<feed>?v=panosurl&di=1). Otherwise they are rewritten to *.example.com

- If URLs rewritten (with di option not enabled) looks like *.com or *.*.com, they are dropped

 

For blacklists I would suggest to enable di option.

 

thanks luigi, i'll test in the lab. appreciate the feedback!

  • 14688 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!