PBF based on URL Filtering/Application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF based on URL Filtering/Application

L0 Member

hi everyone,

 

We have a PBF Rule allow all internal users to internet via our ISP1.

And I want to create another PBF rule on top of the above PBF rule to allow Instagram application traffic towards ISP2?

I look through the below KB but it is not doable: 
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq1CAC

 

So i want to check if anyone have other alternative on this? Please advise!

5 REPLIES 5

Cyber Elite
Cyber Elite

Routing decision needs to be made based on first packet in session.

As first packet in session is SYN that don't include URL you cannot configure PBF based on URLs.

 

You could set create FQDN address object for instagram.com (and any other domains related to Instagram) and set PBF by placing those FQDNs into destination IP field.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

are we able to create a willcard domain for instagram? Or we really need to create all the domain related to instagram?

Cyber Elite
Cyber Elite

You can't use wildcard as Palo needs to resolve those domains to IP address so taking this route you need to add every domain.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister 

Noted on this method.

Do you have other alternative other than this?

L4 Transporter

Hello LeoLion,

 

If you have SDWAN license on the firewall, you can set up some sdwan rules.

So you can set some rules on app-id.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 1697 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!