Traffic to IP address categorized as 'Malware' is not getting blocked despite category configured as block in URL Filtering Profile

Traffic to IP address categorized as 'Malware' is not getting blocked despite category configured as block in URL Filtering Profile

10196
Created On 04/05/19 05:34 AM - Last Modified 01/02/25 11:54 AM


Symptom


IP Address is Categorized as 'Malware' in PAN-DB and URL Filtering is Setup to 'block' Malware Category:

User-added image

A test from firewall CLI also indicates that cloud lookup is fine, however this traffic is still being allowed and URL filtering is not blocking this traffic.

 

admin@PA-VM> test url 107.161.160.XX

107.161.160.XX not-resolved (Base db) expires in 0 seconds
107.161.160.XX malware (Cloud db)
User-added image

Environment


  • NGFW
  • Supported PANOS
  • URL Filtering

Cause


Upon closer Inspection, we can see that the APP-ID is 'ping' which means that this is not a web traffic over http/https.

User-added image

URL Filtering will only be actionable over http and https traffic, so this is the working behavior.

This also means that URL filtering is not the right place to block if the Command and Control channel for a malware is not http/https based.

Note - PING was just used as a test, this will be the case even if the APP-ID is anything like unknown-tcp, unknown-udp, dns etc.

Resolution


 We have to leverage EDLs for IP address based blocking:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLPFCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language