After upgrading to PAN-OS 9.0, traffic from overridden URLs is matching the wrong custom URL category
Created On 03/21/19 23:23 PM - Last Modified 03/27/19 23:17 PM
- Recently upgraded to PAN-OS 9.0
- Traffic from overridden URLs is matching the wrong custom URL category; can cause the URL traffic from allow list to get blocked
- Upgrade to PAN-OS 9.0
In PAN-OS 8.x, URLs can be configured in an allow and block list for the override tab of a URL Filtering profile
Upon upgrading from PAN-OS 8.x to 9.x, the firewall automatically migrates the override Allow list and Block list to a set of Custom URL Categories, appending “allow” and “block” respectively
GUI 8.x: Objects > Security Profiles > URL Filtering
GUI 9.x: Objects > Custom Objects > URL Category
In 9.x, the override tab has been removed
After upgrading to PAN-OS 9.0, traffic from overridden URLs matches the wrong custom URL category causing the URL traffic from allow list to get blocked
This is a design change starting from PAN-OS 9.0.
In PAN-OS 9.0, during the migration, allow-list/block-list is changed to a custom URL category, and the priority is lost. This will cause the firewall to trigger the most severe action, which in some cases is block causing the traffic to be blocked.
To achieve similar result as 8.x, an extra security policy with the new category added with the action as allow. This security policy needs to be before the current policy that is blocking the traffic. If attaching a URL-profile to this "new-policy", make sure to set the action on "blocked URLs" to none.
In 8.x, the override tab's allow-list/block-list takes priority over ordinary custom URL-category.
For example, add "paloaltonetworks.com/security-for" in allow-list and add "paloaltonetworks.com" in a profile blocked custom-url-category. The traffic will only be allowed to the URL paloaltonetworks.com/security-for
To achieve similar results in 9.0, an extra security policy (e.g. new-policy) with category "allowed URLs" and action as allow before the current active policy. When attaching a URL-profile to this "new-policy", make sure to set the action of "blocked URLs" to none.