Best Practice for URL policy question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Practice for URL policy question

L0 Member

So the scenario is we have an app on a server which needs to access several URLs. My colleague setup a custom URL Category and applied it to the policy, but the problem is this isn't working. From my reading on URL Categories, this applies to web-browsing traffic, not URLs themselves as destinations. Meaning if traffic is deemed to be something else other than web-browsing, but still reaches the same URL on port 443, it won't apply the URL category. 

 

So user > web browser > URL would trigger this.

But service > application > URL would not.

 

The only other way I know how to allow this is by creating a FQDN object for the domain of the resource and allowing that in a policy for the destination, but that opens up way more than the specific resource we want to allow.

 

What is the best way to restrict application traffic to a URL if we cannot use URL Categories? 

1 REPLY 1

L3 Networker

Hello,

 


@Josh_Morris wrote:

but still reaches the same URL on port 443, it won't apply the URL category. 


Usually port 443 is used for TLS applications, in which case it should be possible to use with a URL category. We use the SNI in the Client Hello and can also use the certificate CN to determine URL's if the traffic is not decrypted. If the traffic is not decrypted, you can only match custom URL's based on the actual domain and not the full URI path.

 

If it's completely a non web application, let's say RADIUS for example, then no you can't match with a custom category since it's just IP to IP traffic without a URL. In that case I don't see how an FQDN would allow more access than you want. It will allow access to a specific IP, and you can further lock down the rule through the use of applications and services.

 

- DM

Sr. Technical Support Engineer, Strata
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!