09-16-2022 10:31 AM
Hello All,
I have a policy on palo as below:
Source : A --> going to internet --
destination address --> any
Application --> ssl
service --> aplication default
custome URL category -- > allowed google.com
what would be allowed as per this policy
2nd scenario
Source : A --> going to internet --
destination address --> any
Application --> google-base
service --> aplication default
custome URL category -- > allowed google.com
what would be allowed as per this policy
Thanks for your help!
09-16-2022 05:57 PM
The first scenario would allow connections containing SSL traffic (not just HTTPS, but any data stream wrapped in SSL) to a URL allowed in the custom URL category. Note: Using SSL can get you in trouble when thinking this is HTTPS data. You might put in an inbound allow "SSL" to your DMZ'd web server assuming that this will just allow HTTPS, when in fact it will allow SMTPS, IMAPS, FTPS, etc. to your DMZ server.
The second scenario would allow connections identified as google-base (Google app login, basic account services, etc.) to URLs in the custom URL category. Per the application description:
This App-ID covers common service and infrastructure traffic generated by all Google services and applications. To safely enable Google's services and applications, this App-ID is required to be permitted by policy.
Both scenarios may suffer from problems in that traffic will not initially be detected as ssl or google-base and allowed as it takes several packets to identify an application and the detection may change as more packets traverse the firewall, so a connection initially identified as SSL to a Google URL may become google-hangouts as more traffic is processed. So you may need some other rule to initially allow traffic thru. Additionally, you may need to have decryption turned on to effectively identify/match your URL categories.
If you just want to allow all Google web services (and you want to specifically pass Google traffic thru a specific rule, instead of a general internet access rule), you may do better with a security policy like:
Source : A --> going to internet --
destination address --> any
Application --> web-browsing, ssl
service --> application default
custom URL category -- > allowed google.com
action --> allow
If you intention is to allow Google traffic, but you want to deny Google file storage, then a general access rule plus:
Source : A --> going to internet --
destination address --> any
Application --> google-cloud-storage, google-docs, google-drive-web
service --> application default
action --> deny
09-17-2022 12:13 AM
Thanks for the information you provided...
My requirement is to allow specific website only (google.com) and only on secure port, want to use custom url category in the security policy. how the policy look like then ?
Thanks
09-17-2022 01:39 PM
If you just want to allow google.com HTTPS services then a slight variation of the first scenario would be:
Source : A --> going to internet --
destination address --> any
Application --> ssl
service --> service-https
custom URL category -- > allowed google.com
action --> allow
Just be aware that Google may use domains other than google.com for some web calls.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
