PAN-OS URL Filtering with Internationalized Domain Names (Asian, Cyrillic, Hebrew, etc. characters)

PAN-OS URL Filtering with Internationalized Domain Names (Asian, Cyrillic, Hebrew, etc. characters)

25355
Created On 09/25/18 19:20 PM - Last Modified 07/01/21 17:38 PM


Symptom


The PAN-OS URL filtering supports Internationalized Domain Names.

Environment


  • Any PAN-OS.
  • Palo Alto Firewall.

Resolution


DNS only supports ASCII-characters. All non-ASCII-character encodings are supported via puny-code, which is supported by Palo Alto Networks URL filtering. Puny-code is an encoding syntax by which a Unicode (UTF-8) string of characters can be translated into a basic ASCII-character string, which is permitted in network host names.

 

For example, when "http://見.香港/" is entered into a web browser, the browser (which is IDNA-enabled application) first converts the string to the puny-code, http://xn--nw2a.xn--j6w193g/, because the characters "見.香港" are not allowed in regular domain names.

 

Example of online tools:

  • International Domain Name (IDN) conversion tool by Verisign
  • Lookup utility that supports IDNs by WhoIs

 

Additional Information


For instructions on blocking punycode encoded domains please refer to article: How to block ASCII compatible encoding (Punycode) in PAN-OS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVsCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language