Allowing access to web sites using Custom URLs with host and path

Allowing access to web sites using Custom URLs with host and path

7243
Created On 07/24/19 15:43 PM - Last Modified 10/11/21 22:50 PM


Symptom


Using custom URLs within Custom URL Category or a URL Filtering Profile to allow access to web sites may not work for a URL that contains both a Host and a Path such as:
www.example.com/path/

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Custom URL Category

Cause


  • This issue usually arises when decryption is not enabled on the firewall,
  • Thus the firewall only has the host information like "www.example.com" from the "CN" field of the certificate or "SNI" field in "Client Hello" message sent by the client during SSL/TLS handshake.
  • This information does not match the configured custom URL when a path like "www.example.com/path/" is tried to be accessed.

Resolution


  1. Configure Decryption on the PAN Firewall for the corresponding traffic to obtain visibility for the entire URL including the Host and the Path; "www.example.com/path/".
OR
  1. Set the Custom URL to match the Host only; "www.example.com".

Note: To configure SSL Decryption, please refer to  KB Article How to Implement and Test SSL Decryption
 

Additional Information


Custom URL entries can be in the form "www.example.com".
They can also contain wildcards like "www.example.com/path/*".

Note: For use of Wildcards, Refer to KnowledgeBase Article Using Wildcards in URL Filtering Profiles
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMRlCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail