PAN URL Categories
Heyo! So today I’m gonna cover URL category’s. Obviously Uniform Resource Locations are nothing new and even more so categories hahah. So when you know existing ones and have classified them, you can do some amazing things, what’s the hardest part…. Yes… proper classification of every possible URL, near impossible, but with collaboration feasible. In this post I’m going to cover how to set this up on a Palo Alto Networks firewall, cover some benefits, a couple annoyances, and ways to resolve them when possible…. Let’s get started!
Now when I first started with Palo Alto Networks Firewalls, they were using Brightcloud… here’s a bit of details from here
Objective Profiles… I mean Object Profiles
Yeah… click on the Objects tab… look under Security Profiles… URL Filtering.
There lies a default profile, which allows 57 categories while blocking only 9. For a simple test I’ll use this, the blocked categories are:
- abused-drugs (LOL, cause other poisons like Tobacco and alcohol are allowed, cause laws)
- adult (I’m assuming this is a business friendly term for porn)
- command-and-control (duh)
- gambling (duh)
- hacking (interesting class definition)
- malware (duh)
- phishing (duh)
- questionable (duh)
- weapons (awwwww)
Well that seems like a fairly reasonable list. Creating your own allow and block listing is just as easy as creating a new profile and defining each class accordingly, and yes you can easily clone an existing profile and change one or two categories as required.
The Allow and Block lists are specified under the overrides areas if you happen to need to allow or block a URL before it can be officially re-classed by PAN DB. As quoted by the wizard, “For the block list and allow list enter one entry per row, separating the rows with a newline. Each entry should be in the form of “www.example.com” and without quotes or an IP address (http:// or https:// should not be included). Use separators to specify match criteria – for example, “www.example.com/” will match “www.example.com/test” but not match “www.example.com.hk”” Which makes sense it’s will determine what is allowed as for proctols under the security rules area, this simply states which addresses (DNS or IP based) to allow or block. In the case of DNS till proper classification.
Checking a URL for a Category
To check a address class, check PANs site for it here. If you find a site is mis-classed you can send an email to Palo Alto Networks team and they will test the verification of the re-class and re-class the PAN DB accordingly. As far as I can tell I don’t think this one actually requires a login.
Alright, alright, lets actually get to some uses. Now if you were following my series see my last two posts here, and here for reference material. Under the Security Rule Test Internet, the final tab, actions, we did not define any profile settings, this is where the rubber hits the road for the first time.
Pick Profiles, We’ll cover groups a bit later (its just a group of profiles, who’d of thought).
As you can see this expands the window to show all the profiles you saw under the Objects -> Security Profiles area, in this case we are just going to play with the URL filtering.
Now once I apply this on the internet rule.. productive for my Test XP machine should go up… muahahah and…
HAHAHAHA you lazy mid 2000’s virtual worker… you can’t go gambling get back to work!
As you can see how useful URL categories can be, unfortunately I did want to cover more granular examples; such as only allowing a server to access it’s known update server URL’s. Hopefully I can update this post to cover that as well.
For now I hope you enjoyed this quick blog post. In my next post I hope to cover how this isn’t an IDS of any kind at this point, but a single layer of the multi-layer security onion. Stay tuned for more. 🙂