05-23-2023 04:45 AM
Hi,
I have an issue while trying to whitelist a parked trusted domain https://centaur-horizon.eu/.
The traffic hits a rule with a URL filtering that has Parked set to Blocked but it also has a Custom URL Category called allow-Baseline as Allow and includes the parked domain.
At first, the exception seemed to work but later we realized that for users excluded from the general decryption policy, the exception does not apply and the website appears blocked.
PA seems not to consider the custom URL categories analysing encrypted traffic. in the screenshots, you can see that the detected category is different in both cases.
any idea how to solve this issue while keeping the decryption exception?
thanks
05-23-2023 05:41 AM - edited 05-23-2023 05:43 AM
Do you also have *.centaur-horizon.eu/ in the custom URL category?
Users are trying to access www.centaur-horizon.eu not centaur-horizon.eu
Also URL Filtering Profile action "Allow" means "permit traffic but don't log under URL filtering log".
Best is to use action "Alert"
05-23-2023 05:41 AM - edited 05-23-2023 05:43 AM
Do you also have *.centaur-horizon.eu/ in the custom URL category?
Users are trying to access www.centaur-horizon.eu not centaur-horizon.eu
Also URL Filtering Profile action "Allow" means "permit traffic but don't log under URL filtering log".
Best is to use action "Alert"
05-23-2023 07:07 AM
I agree with @Raido_Rattameister that this should be set to alert instead of allow so that the URL is still logged. Unless you truly don't want the firewall to log any URL that isn't blocked, most people would want to see where the traffic is going and would want the URL logged.
I think the issue that you're running into if I've read your post properly is that you're trying to allow the traffic via the same profile that you have parked domains set to blocked. The most defensive action is always going to win; so if centaur-horizon is matching Parked which you have set to Block and the custom category which is set to Alert or Allow, the traffic will be blocked because that's the most restrictive action that it matches.
You'd want to create a rule above the one this traffic is currently hitting that uses a custom URL profile that matches these excluded domains. That will allow the traffic to function properly without having to worry about the fact that it'll match the Parked category.
05-26-2023 09:56 AM
Finally it worked just adding both www.centaur-horizon.eu and centaur-horizon.eu as the first redirects to the second.
as you recommended I set the custom URL category to Alert to keep track of what is happening.
But I didn't need to create an additional policy rule, a single rule was enough once the www URL was included. now it works as expected for both encrypted and decrypted traffic.
thanks for the support.
05-26-2023 10:09 AM
Custom categories have higher priority than pre-defined categories.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
