Firewall is allowing certain packets through different policy in URL based traffic blocking scenario

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall is allowing certain packets through different policy in URL based traffic blocking scenario

L3 Networker

Hi Team,

 

We had configured an EDL today with URL list and created an security policy and applied it for an specific source IP address.

 

We had tried to access an URL in the EDL list and the website is not loading on the PC.

 

When checking the Traffic logs with source and destination IP some traffic is being blocked through desired policy. But some traffic is being allowed.

 

Is this an expected behaviour when comes to URL based blocking as the firewall will allow TCP handshake and the initial SSL/TLS handshake

2 REPLIES 2

Cyber Elite
Cyber Elite

Thank you for posting question @tamilvanan

 

Since your EDL type is URL, I would recommend to check URL logs instead of Traffic logs.

 

Coming back to your question, could you please elaborate how you applied EDL? Did you add the block URL EDL directly under: Security Policy Rule > Service/URL Category or did you add under: Security Policy Rule > Profile Setting > URL Filtering / Group Profile?

 

If you applied it directly under Service/URL Category, then match against URL, will be blocked directly under security policy and you should see it in the Traffic log as being blocked. If you see this as allowed in the log, could you check more details under: Detailed Log View?

 

If you have applied it under: URL Filtering / Group Profile, then in Traffic log, you should see the result of policy being evaluated against 6 tuple. If the result is allow, then you will see this traffic being allowed in Traffic log, but as a subject of L7 processing under URL filtering in URL Filtering / Group Profile, the result in URL log will be block-url if there is a match.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK .

 

Thanks for your inputs.

 

I am going through the documentations and my understanding from those documentations is that the firewall handles HTTP and HTTPS traffic differently.

 

For HTTP traffic the firewall allow till the GET packet to identify the HTTP website the user is trying to access and blocks the HTTP site. So the initial packets will be allowed.

 

Same for HTTPS site the firewall will allow the traffic of TCP handshake , SSL/TLS handshake and then once the firewall get the Certificate it will look into the CN name of the certificate and will block that session. So we will see few packets going out to the websites when we filter on traffic log using the website IP address.

 

This is my understanding

  • 2532 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!