URL filtering issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL filtering issue

L0 Member

Hello All,

 

I have a policy on palo as below:

 

Source : A --> going to internet --

destination address --> any

Application --> ssl

service --> aplication default

custome URL category -- > allowed google.com

what would be allowed as per this policy

 

2nd scenario

 

Source : A --> going to internet --

destination address --> any

Application --> google-base

service --> aplication default

custome URL category -- > allowed google.com

what would be allowed as per this policy

 

Thanks for your help!

 

3 REPLIES 3

L6 Presenter

The first scenario would allow connections containing SSL traffic (not just HTTPS, but any data stream wrapped in SSL) to a URL allowed in the custom URL category. Note: Using SSL can get you in trouble when thinking this is HTTPS data. You might put in an inbound allow "SSL" to your DMZ'd web server assuming that this will just allow HTTPS, when in fact it will allow SMTPS, IMAPS, FTPS, etc. to your DMZ server.

 

The second scenario would allow connections identified as google-base (Google app login, basic account services, etc.) to URLs in the custom URL category. Per the application description:

This App-ID covers common service and infrastructure traffic generated by all Google services and applications. To safely enable Google's services and applications, this App-ID is required to be permitted by policy.

 

Both scenarios may suffer from problems in that traffic will not initially be detected as ssl or google-base and allowed as it takes several packets to identify an application and the detection may change as more packets traverse the firewall, so a connection initially identified as SSL to a Google URL may become google-hangouts as more traffic is processed. So you may need some other rule to initially allow traffic thru. Additionally, you may need to have decryption turned on to effectively identify/match your URL categories.

 

If you just want to allow all Google web services (and you want to specifically pass Google traffic thru a specific rule, instead of a general internet access rule), you may do better with a security policy like:

Source : A --> going to internet --

destination address --> any

Application --> web-browsing, ssl

service --> application default

custom URL category -- > allowed google.com

action --> allow

 

If you intention is to allow Google traffic, but you want to deny Google file storage, then a general access rule plus:

Source : A --> going to internet --

destination address --> any

Application --> google-cloud-storage, google-docs, google-drive-web

service --> application default

action --> deny

L0 Member

Thanks for the information you provided...

 

My requirement is to allow specific website only (google.com) and only on secure port, want to use custom url category in the security policy. how the policy look like then ?

 

Thanks

 

L6 Presenter

If you just want to allow google.com HTTPS services then a slight variation of the first scenario would be:

Source : A --> going to internet --

destination address --> any

Application --> ssl

service --> service-https

custom URL category -- > allowed google.com

action --> allow

 

Just be aware that Google may use domains other than google.com for some web calls.

  • 1176 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!