The URL-filter has severe limitations. Unless I maintain a huge custom category of all the common CRL distribution points on the Internet, I can't see how I would do this. I have two main issues with the URL-filter expressions. 1. matching hosts, the wildcard has to match a complete token. I can't use *crl.*.* -> *crl is invalid because it is not the only character in the token. So, I can't restrict destination URLs based on the hostname. 2. The path is not predictable enough. All I know is that the file name is going to be .crl,, but it might a very long path (many subdirectories) or a short one. ex: /*.crl, /*/*/*/*.crl ... Still, that's not so bad because I could create a dozen of URL filter expressions that would match the file up to 11 directories deep, as an exemple. And that would cover most case... But it still something that could be avoided with a custom appid, or less restrictive URL expressions. Unless there is something I don't know yet about Pan-OS url-filter expressions...
... View more