Unable to Add URL-Based External Dynamic List as Destination in Policy-Based Forwarding Rule on Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to Add URL-Based External Dynamic List as Destination in Policy-Based Forwarding Rule on Panorama

L0 Member

I am attempting to use an External Dynamic List (EDL) with a URL-based list as the destination in a Policy-Based Forwarding (PBF) rule on Panorama. However, when I try to add the EDL as the destination in the PBF rule, I am not able to see the URL-based list EDL in the destination list. I have checked that the EDL is configured correctly, assigned to the correct device group. Additionally, I have verified that the license for Threat Prevention includes the URL filtering feature. What could be causing this issue and how can I resolve it?

3 REPLIES 3

Cyber Elite
Cyber Elite

You can't route traffic based on URL.

Web traffic is running over TCP.

In case of TCP URL is in 4th packet (in best case if it is http) or later (if it is https).

 

SYN

SYN-ACK

ACK

HTTP GET <<< URL is here

 

Routing decision needs to be done on first packet.

So you can't use URL to make routing decisions.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L0 Member

I have tested a PBF rule using an FQDN as a destination and it works fine. The firewall resolves the IP addresses associated with that FQDN, and then makes the routing decision based on those IP addresses. Does the firewall use different methods to handle URL-based EDLs?

Cyber Elite
Cyber Elite

If you use FQDN based list then domain is resolved to IP and traffic is routed based on this destination IP (first packet).

If you se URL based list then firewall does not intercept TCP 3way handshake and takes action when it sees website URL passing by in either HTTP GET packet (if clear text) or from certificate (when ssl).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1564 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!