EDL and Custom URL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

EDL and Custom URL

L2 Linker

Hi There, 

 

Problem Statement : We have custom URL lists(To allow Azure Endpoints only), also we have EDL(With Minemeld) integrated. 

As per our Infosec Policy we should not use Minemeld feed for Microsoft as it has some of many wildcard. So desperately creating custom URL for each MSFT end points(viz Defender, AAD heath etc,,) 

But some of URL is not working. I couldn't fetch the exact URL which is getting blocked(its default implementation PAN that, unlisted URLs will not show in URL filtering tab...? but in the Traffic Tab I am seeing very peculiar;

For example: As per below screen shot, Why session is starting the Rule which i configured and fall back to Deny (reset-both with "default deny") category showing EDL-Azure-URL(In fact we have not configured "EDL-Azure-URLs" in the policy. 

 

Ramakrishnan_0-1656531514731.png

Ramakrishnan_1-1656531743034.png

Ramakrishnan_2-1656531871704.png

 

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @Ramakrishnan ,

 

For the policies if traffic log at session START is enabled, there are chances that the logs will show matching incorrect policy. This is because, when request reaches the firewall interface, the first matching policy in the set will be matched to allow traffic and create session but still at backend, firewall is checking for matching the security profile configurations. So the logs at session END will show the correct rules once all the checks are done by the firewall. Kindly refer this article for more details.

 

 

Coming to your 2nd query that you are not able to see logs under URL filtering tabs. To view the logs, you need to make sure that URL category action is set to alert to log the URL filtering logs.

 

Hope it helps!

M
  • 1464 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!