This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Wrong behavior of Advanced URL filter

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wrong behavior of Advanced URL filter

AngeloOghittu
L1 Bithead

‎11-19-2024 11:47 PM

Dear experts,

Here is my question:

 

Our customer has registered new URL domains and configured the firewall to block all newly registered domains via the URL filtering configuration. They noticed that the new domain is NOT blocked right away but about 15 minutes after the first time it becomes reachable.

Is this behavior expected? The customer pointed out that if this is the intended behavior, it could pose a risk to the security of the internal network.

 

Thank you for any help

 

Best regards

Angelo

0 Likes Likes
1 REPLY 1

harold07douglas
L0 Member

‎11-25-2024 08:46 PM

Hello,

This is an insightful observation by the customer, and their concerns are valid. Here's an interesting way to frame this situation:

"15 minutes might not seem like much, but in cybersecurity, it's a lifetime for an attacker."

The delayed enforcement could indeed provide a narrow window for exploitation, especially in targeted attacks that leverage newly registered domains as part of phishing campaigns, malware distribution, or other malicious activities. However, the delay is likely due to the time it takes for the URL filtering service to process, classify, and propagate updates for new domain registrations across its database. This delay highlights a trade-off between scalability and real-time protection. A system designed to block domains instantly after registration would require an extraordinarily fast feedback loop, which may not always be feasible. The risk can be mitigated by adopting complementary defenses, such as DNS-layer filtering that blocks access to domains with suspicious patterns (e.g., newly registered TLDs) or employing behavioral analysis that flags unusual activities on new domains. Integrating the URL filtering with a broader zero-trust architecture could minimize reliance on the timing of domain classification by ensuring that all external connections, even to "new" domains, are verified and monitored. While the delay might be an inherent limitation, the incident underscores the importance of multi-layered security strategies.

edfinancial studentaid gov
0 Likes Likes
  • 663 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks