This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About TravisC
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About TravisC
07-07-2021
15Posts
4Likes
3Solutions
Jul 07, 2021Last Visited
User
Activity
User
Profile
Latest posts by TravisC
| Subject | Views | Posted |
|---|---|---|
| 5631 | 11-17-2020 06:28 AM | |
| 4426 | 11-16-2020 11:14 AM | |
| 4460 | 11-16-2020 10:36 AM | |
| 4489 | 11-16-2020 10:19 AM | |
| 4899 | 11-16-2020 10:17 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-22-2020 01:44 PM | |
| 1 Like | 09-23-2020 12:01 PM | |
| 1 Like | 09-24-2020 05:40 AM | |
| 1 Like | 09-22-2020 02:19 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 3 Likes |
User Badges
Community Statistics
| Member Since | 12-20-2011 07:11 AM |
| Date Last Visited | 07-07-2021 11:30 AM |
| Posts | 15 |
| Total Likes Received | 4 |
11-17-2020
06:28 AM
The URL is defined by website. In the case of an HTTP request to 'sega.com', the website responds with a 301 (Permanently Moved) to 'www.sega.com'. If you are using Chrome, it will hide the 'www.', but if you click on it will show it. If you use Firefox, you will see that you put in 'sega.com' and then it is changed to 'www.sega.com'. You can use Developer tools on either browser to see what the URL should be by following the request URL. The firewall doesn't attempt to do a reverse DNS lookup on URL categories. The URL is determined by looking by looking at the HTTP headers, the SSL Client Hello SNI, and SSL Server Hello Common Name (CN) of the Server Certificate Subject DN. This behavior changes if SSL decryption is used. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC
... View more
11-16-2020
10:36 AM
What are the URL's in the URL category? Can you test with 'example.com'?
... View more
11-16-2020
10:19 AM
My testing shows that it works as intended. If your traffic was allowed after changing that rule to action 'Deny', I would look into the order of the security policy rules and make sure that another rule didn't allow the traffic.
... View more
11-16-2020
10:17 AM
@Jonathanct Do you have log at session start enabled? That would explain the logs showing up on your allow rule. I would recommend disabling log at session start. The initially allowed traffic is for allow rules. When processing traffic, the firewall assumes that the application is set to 'any' until the firewall can determine what they are and processes the traffic under the first security rule that matches L2 - L4 with any application. This is show in the "FW Session setup/Slowpath" in the Day in the Life of a Packet diagram under 'Firewall security policy lookup'. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 In your example of the allow rule with URL category defined and the action is set to "Allow', the firewall will match all sessions from L2 to L4 to that rule until the application can be defined. Once the application is defined, the firewall will rematch against the policy to determine if there is a rule to allow that traffic. In this example, that would still be the URL category rule since the rule is setup with any application on any service. Once the URL category is defined, the firewall will rematch against the security policy again to find the first rule to match the new information. If your rule was set to block, the traffic would be initially allowed on another security rule until the URL category was determined 5-9 packets later. Then on the rematch the firewall will show that the traffic was dropped on your URL Category rule.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-07-2021
11:30 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks