Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
After upgrading to PAN-OS 9.0, traffic from overridden URLs is ... - Knowledge Base - Palo Alto Networks

After upgrading to PAN-OS 9.0, traffic from overridden URLs is matching the wrong custom URL category

38354
Created On 03/21/19 23:23 PM - Last Modified 04/05/24 00:30 AM


Symptom


  • Recently upgraded to PAN-OS 9.0
  • Traffic from overridden URLs is matching the wrong custom URL category; can cause the URL traffic from allow list to get blocked


Environment


  • Upgrade to PAN-OS 9.0
  • Panorama
  • Firewall


Cause


This is a design change starting from PAN-OS 9.0. In PAN-OS 8.x, URLs can be configured in an allow and block list for the override tab of a URL Filtering profile.

Upon upgrading from PAN-OS 8.x to 9.x, the firewall automatically migrates the override Allow list and Block list to a set of Custom URL Categories, appending “allow” and “block” respectively and the priority is lost. This will cause the firewall to trigger the most severe action, which in some cases is block, causing the traffic to be blocked.

GUI 8.x: Objects > Security Profiles > URL Filtering 
User-added image

GUI 9.x: Objects > Custom Objects > URL Category
User-added image

In 9.x, the override tab has been removed
User-added image

After upgrading to PAN-OS 9.0, traffic from overridden URLs matches the wrong custom URL category causing the URL traffic from allow list to get blocked
 

Example

  • In PAN-OS 8.x, customer has *.google.com added in the Overrides section as a part of the Allow List of the URL Filtering Profile.
          URL Filtering Profile Overide
  • The same URL (*.google.com) is also part of a Custom URL Category "Custom-Block"
          Custom URL Category
  • The customer has linked the custom category "Custom-Block" to the same profile with the site access set to block
         URL Filtering Profile
Expected result with PANOS 8.x, 
This URL will be allowed. Even though the same URL is included to block the site access under the custom category but Override list has precedence over custom category so the action will be allowed.
 
Expected result with PANOS 9.x, 
This URL will be blocked. After the upgrade, the "Override List" will also become a "custom category" as you can see below. With that now the same URL (*.google.com) will be part of the two custom categories and since the both custom categories will be linked to the same profile, the one with severe action (block) will take precedence.
Override becomes a custom category


Resolution


Solution 1
Before upgrading to PAN-OS 9.x, please check the custom category under each URL Filtering Profile to make sure URL's are not conflicting with "Allow List" under Overrides tab.

Solution 2
To achieve a similar result as 8.x, an extra Security Policy with the new category must be added with the action as allow. This Security Policy needs to be before the current policy that is blocking the traffic. If attaching a URL profile to this "new policy", make sure to set the action on "blocked URLs" to none.



Refer to URL Filtering Custom Categories in the Upgrade Downgrade Considerations.
 


Additional Information


In 8.x, the override tab's allow-list/block-list takes priority over ordinary custom URL-category.

For example, add "paloaltonetworks.com/security-for" in allow-list and add "paloaltonetworks.com" in a profile blocked custom-url-category. The traffic will only be allowed to the URL paloaltonetworks.com/security-for

To achieve similar results in 9.0, an extra security policy (e.g. new-policy) with category "allowed URLs" and action as allow before the current active policy. When attaching a URL-profile to this "new-policy", make sure to set the action of "blocked URLs" to none.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boO3CAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language