Policy destination field when using URL filtering

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy destination field when using URL filtering

L0 Member

I need to write a rule that looks like this

 

Source zone: Internal

 

Destination zone: External

 

Source address: 10.38.105.201

 

Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net *.internapcdn.net but am aware you cannot use wildcards for FQDN objects, and needs to be done via the custom URL category/URL profile. So would this be “any”?

 

Application: any

 

Destination port: tcp-1433

 

Action: allow

 

My question to you I guess is as this is an allow rule is it safe to put “any” in the destination address field? Wouldn’t that allow 10.38.105.201 to any destination external? I just want to allow that source to those three wildcards via tcp-1433 and that is it.

 

As well as you create the custom URL category, add those 3 wildcards and maybe a few more for their subdomains, hit ok. Move to URL filtering security profile create one and go to the custom URL category in the security profile and hit alert to have it log to panorama. Then destination “any” in the ACLs destination address field? < of course adding the new URL profile I had just created on the rule? Or is that completely wrong?

 

I just don’t want to allow that 10. IP to anything and everything external, and we just don’t know what the beginning of the domains will be.

 

Here are the documents from the vendor, I’ve also uploaded those photos to the discussion 

 

Ports: https://imgur.com/a/MVH2lG0

URLs: https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua

1 REPLY 1

Cyber Elite
Cyber Elite

this will allow the client to set up 'initial' sessions towards basically anywhere as long as it's using port 1433, but the category lookup mechanism will determine pretty quickly if this session matched the right category or not

 

if it doesn,t, the rule will release the session and a new security rule lookup will happen. if the session no longer matches any rules that allow it, it will be dropped

 

 

so while yes, you'll allow tcp handshakes to basically the entire internet, url category lookup should catch up quick before any 'rogue' applications can connect

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 325 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!