About jjhernandez

I was searching high and low for URL Filtering Order / URL Filtering Precedence when trying to understand how to override an incorrect URL learned from an External Dynamic List. It took the help of our Designated Engineer to get a full and complete answer. I thought I would share the info here so others may benefit as well.   This is based off of the following: URL FILTERING ORDER: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC PANOS 8.0 Documentation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/url-filtering/url-filtering-concepts/url-filtering-profile-actions Comments from our Designated Engineer on case 01012895.     Starting with the different sources of URL Filtering Data, the precendence is from the top down - First Match Wins:   Block list Manually entered blocked URLs Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Block List Allow list Manually entered allowed URLs Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Allow List Custom Categories User-defined Custom URL Categories  Objects -> Custom Objects -> URL Category -> <URL Category Object> Cached Cached = URLs learned from External Dynamic Lists (EDLs)  Objects -> External Dynamic Lists -> Dynamic URL Lists -> <Dynamic URL List Object> Pre-Defined Categories PAN-DB or Brightcloud "canned" / "out of the box" categories. Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Categories     So, what happens when we get two or more valid answers, all at the same level of precendence? No problem - We have a list for that too! The list below includes the actions and a short explanation of the action from the PANOS 8.0 documentation. Just as before, precedence is from the top down  -  First Match Wins :     Block The website is blocked and the user will see a response page and will not be able to continue to the website. A log entry is generated in the URL filtering log. Override The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security admin or helpdesk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL filtering log. Continue The user will be prompted with a response page indicating that the site has been blocked due to company policy, but the user is prompted with the option to continue to the website. The continue action is typically used for categories that are considered benign and is used to improve the user experience by giving them the option to continue if they feel the site is incorrectly categorized. The response page message can be customized to contain details specific to your company. A log entry is generated in the URL filtering log. Alert The website is allowed and a log entry is generated in the URL filtering log. Allow The website is allowed and no log entry is generated.   Thats it - hope this is useful! ... View more

  T-Mobile appears to no longer be issuing IPv4 addresses on their LTE network for iPhones running iOS 10.2 and Carrier Profile 27.1. This caused GlobalProtect VPN on our iOS 10.2 phones with T-Mobile LTE to stop working.    Summary of the testing - See attached screenshots: Platforms: Two iOS 10.2 iPhones - one on T-Mobile LTE and one on AT&T LTE Tools used: Hurricane Electric's Network Tools App -> Interface data. T-Mobile LTE: No IPv4 addresses. IPv6 addresses only. AT&T's LTE: Both IPv4 and IPv6 addresses. GlobalProtect 2.X.X and 3.X.X do not support IPv6. (Current iOS version is 3.0.2.)    Notes: Impact is confined to T-Mobile LTE only at this time. Verizon. AT&T, Sprint, etc. do not have this issue. Based on how its working today, an educated guess says T-Mobile has an IPv6->IPv4 translation gateway where they connect the LTE network to the Internet.    Workaround: For T-Mobile LTE customers, use Wifi for VPN.   Fix: GlobalProtect 4.0, which does support IPv6, is due out soon. We have a beta copy and it works properly with iOS 10.2 and T-Mobile.    Please talk to your PAN Account Rep and open a support case with PAN about the issue if you are being impacted. For reference, our case is # 00598890.      ... View more

Problem:   Because of occasional issues with vendor patches, like MS had early this year, (see URL below), very few companies release patches/updates to clients or servers on the day of release. They test the updates first, then release them days or even weeks later after testing has shown no major issues. GlobalProtect has no capability to delay patch checking to address this test cycle.   http://blog.norsecorp.com/2015/02/16/microsoft-users-battle-buggy-patches-in-februarys-releases/?mkt_tok=3RkMMJWWfF9wsRojv6nJZKXonjHpfsX56O4qWqG3lMI%2F0ER3fOvrPUfGjI4FTsRqI%2BSLDwEYGJlv6SgFTLjEMa9u1rgPUhI%3D    Request:   Add a “grace period” capability into GlobalProtect to delay the checking of patch levels by "N" days from the date of release. Example: Wait 14 days before checking for Patch Tuesday patches to accomodate the testing of the patches. The grace period “out of the box” should be 0 days by default in order to not change existing behavior. Users can then change the default grace period from there. Include groups for "batched" updates released by a vendor.  For example; Group defined for each MS Patch Tuesday, group defined for each Apple Security Day release, and so on. Nested groups and user-defined groups should also be available.  Ability to set and/or override the default grace period on a per-patch basis or per-group basis. This would allow customers to address urgent issues such as Zero Day exploits (reduced grace period, possibly all the way to 0) and to delay or prevent enforcement (increased grace period, or set to -1 for “do not enforce”) for low priority and/or problematic updates.   Additional improvements (and corrections) always appreciated.   ... View more