Palo Alto Networks Knowledgebase: DotW: URL Wildcard Pattern

DotW: URL Wildcard Pattern

6411
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Resolution

In this week's DotW, we discuss a specific question one of our members posted in several discussions:

 

Screen Shot 2017-01-09 at 10.43.45.pngdiscussion

Screen Shot 2017-01-09 at 10.44.29.pngdiscussion

 

User oscaringosv is looking for a way to block URLs that have a specific word pattern/string.  In his example, he was looking to match on the word "good".

 

  • He already tried using custom URL categories with wildcards.  
  • Note that you cannot use regex in custom URL categories.

 

There are, however, some considerations to take when you want to use wildcards in custom URL categories.  Allow me to explain using "good" as an example:

 

The following characters are considered separators:
.
/
?
&
=
;
+
 
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
 
*.good.com (Tokens are: "*", "good" and "com")
www.*.com (Tokens are: "www", "*" and "com")
www.good.com/search=* (Tokens are: "www", "good", "com", "search", "*")
 
The following patterns are invalid because the character “*” is not the only character in the token.
 
  • ww*.good.com
  • www.good*.com

 

Looking for an alternative, user oscaringosv found a discussion with a possible workaround.

 

https://live.paloaltonetworks.com/t5/General-Topics/block-keywords/m-p/6101#U6101

 

The above discussion talks about using a signature-based custom application.

While custom applications with signatures can be very useful, they do have minimum requirements. For example, the pattern used must be a minimum of 7 bytes.

 

More details on how to create custom application signatures and requirements can be found here:

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Custom-Application-Signatures/ta-p/58625

 

You can follow both discussions in the links below:

https://live.paloaltonetworks.com/t5/General-Topics/URL-wildcard-Pattern/m-p/136217#U136217

https://live.paloaltonetworks.com/t5/General-Topics/block-keywords/m-p/6101#U6101

 

Cheers !

-Kim. 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language