This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best Practice for URL policy question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best Practice for URL policy question

Josh_Morris
L0 Member

‎08-02-2022 10:47 AM

So the scenario is we have an app on a server which needs to access several URLs. My colleague setup a custom URL Category and applied it to the policy, but the problem is this isn't working. From my reading on URL Categories, this applies to web-browsing traffic, not URLs themselves as destinations. Meaning if traffic is deemed to be something else other than web-browsing, but still reaches the same URL on port 443, it won't apply the URL category. 

 

So user > web browser > URL would trigger this.

But service > application > URL would not.

 

The only other way I know how to allow this is by creating a FQDN object for the domain of the resource and allowing that in a policy for the destination, but that opens up way more than the specific resource we want to allow.

 

What is the best way to restrict application traffic to a URL if we cannot use URL Categories? 

0 Likes Likes
1 REPLY 1

dmifsud
L3 Networker

‎08-06-2022 12:04 PM

Hello,

 

@Josh_Morris wrote:

but still reaches the same URL on port 443, it won't apply the URL category. 

Usually port 443 is used for TLS applications, in which case it should be possible to use with a URL category. We use the SNI in the Client Hello and can also use the certificate CN to determine URL's if the traffic is not decrypted. If the traffic is not decrypted, you can only match custom URL's based on the actual domain and not the full URI path.

 

If it's completely a non web application, let's say RADIUS for example, then no you can't match with a custom category since it's just IP to IP traffic without a URL. In that case I don't see how an FQDN would allow more access than you want. It will allow access to a specific IP, and you can further lock down the rule through the use of applications and services.

 

- DM

Sr. Technical Support Engineer, Strata
0 Likes Likes
  • 1219 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks