This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Service/URL category

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Service/URL category

S_Williams901
L3 Networker

‎05-01-2024 11:18 AM

Microsoft Defender has a lot of endpoints it seems. I started a custom URL list with all the URLs needed for defender, created a policy in a global device template and said "Allow any source, any destination, using SSL, Web-Browsing, and windows defender atp app, using application default. I put the URL list I created in URL category area and didn't select a URL filter profile. 

 

It seems I have users hit things outside the URL list I created. I contacted TAC and they said its because the way the policy flow is for traffic. Basically left to right in the tabs on the policy. So what is the point or URL category exactly if it wont restrict your traffic to just the URL list I created?

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎05-02-2024 01:30 AM

are users successfully accessing things or are you seeing logs for things you didn't expect?

 

the way a rule like this works, is to allow the TCP handshake for everything that matches your first tuples: source, destination, port (you need to create a session first, before you get to the URL bit).

When the HTTP GET comes around (or the SNI can be intercepted), there is another rulebase lookup for this session

if the URL matches your criteria, it will hit, if it doesn't it will go further down the list to find a new match.

If a match is found, that new rule will take over (and your log will reflect that after the session is finished)

 

now in some cases there could be 'anomalies' that could result in weird logs:

if for example the http get goes out (for a url you did not intend to hit this rule) but the server stops responding, the session will eventually die and no new rule will be used to continue the session, so the log is written on the rule that allowed the initial handshake.

 

There could be logical explanation why you're seeing these logs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

S_Williams901
L3 Networker
In response to reaper

‎05-02-2024 07:04 AM

I see lots of tcp-rst-from-client, but sometimes I see a tcp-fin from a non-microsoft IP, but maybe they are redirects. 

 

0 Likes Likes

S_Williams901
L3 Networker

‎05-02-2024 07:34 AM

Also the traffic I am allowing from an app perspective I see going to MS IPs using Windows-Defender-atp-endpoint but see session end as tcp-rst-from-server. 

0 Likes Likes
  • 375 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks