Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

L2 Linker

Hi,

I have an issue while trying to whitelist a parked trusted domain https://centaur-horizon.eu/.

The traffic hits a rule with a URL filtering that has Parked set to Blocked but it also has a Custom URL Category called allow-Baseline as Allow and includes the parked domain.

At first, the exception seemed to work but later we realized that for users excluded from the general decryption policy, the exception does not apply and the website appears blocked.

PA seems not to consider the custom URL categories analysing encrypted traffic. in the screenshots, you can see that the detected category is different in both cases.

 

any idea how to solve this issue while keeping the decryption exception?

 

thanks

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Do you also have *.centaur-horizon.eu/ in the custom URL category?

Users are trying to access www.centaur-horizon.eu not centaur-horizon.eu

 

Raido_Rattameister_0-1684845512623.png

 

 

Also URL Filtering Profile action "Allow" means "permit traffic but don't log under URL filtering log".

Best is to use action "Alert"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Do you also have *.centaur-horizon.eu/ in the custom URL category?

Users are trying to access www.centaur-horizon.eu not centaur-horizon.eu

 

Raido_Rattameister_0-1684845512623.png

 

 

Also URL Filtering Profile action "Allow" means "permit traffic but don't log under URL filtering log".

Best is to use action "Alert"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

@JoseCortijo,

I agree with @Raido_Rattameister that this should be set to alert instead of allow so that the URL is still logged. Unless you truly don't want the firewall to log any URL that isn't blocked, most people would want to see where the traffic is going and would want the URL logged. 

I think the issue that you're running into if I've read your post properly is that you're trying to allow the traffic via the same profile that you have parked domains set to blocked. The most defensive action is always going to win; so if centaur-horizon is matching Parked which you have set to Block and the custom category which is set to Alert or Allow, the traffic will be blocked because that's the most restrictive action that it matches.

You'd want to create a rule above the one this traffic is currently hitting that uses a custom URL profile that matches these excluded domains. That will allow the traffic to function properly without having to worry about the fact that it'll match the Parked category. 

Hi @Raido_Rattameister@BPry 

Finally it worked just adding both www.centaur-horizon.eu and centaur-horizon.eu as the first redirects to the second. 

as you recommended I set the custom URL category to Alert to keep track of what is happening.

 

But I didn't need to create an additional policy rule, a single rule was enough once the www URL was included. now it works as expected for both encrypted and decrypted traffic.

 

thanks for the support.

Cyber Elite
Cyber Elite

Custom categories have higher priority than pre-defined categories.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 2353 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!