After upgrading to PAN-OS 9.0, traffic from overridden URLs is matching the wrong custom URL category
35087
Created On 03/21/19 23:23 PM - Last Modified 04/05/24 00:30 AM
Symptom
- Recently upgraded to PAN-OS 9.0
- Traffic from overridden URLs is matching the wrong custom URL category; can cause the URL traffic from allow list to get blocked
Environment
- Upgrade to PAN-OS 9.0
- Panorama
- Firewall
Cause
This is a design change starting from PAN-OS 9.0. In PAN-OS 8.x, URLs can be configured in an allow and block list for the override tab of a URL Filtering profile.
Upon upgrading from PAN-OS 8.x to 9.x, the firewall automatically migrates the override Allow list and Block list to a set of Custom URL Categories, appending “allow” and “block” respectively and the priority is lost. This will cause the firewall to trigger the most severe action, which in some cases is block, causing the traffic to be blocked.
GUI 8.x: Objects > Security Profiles > URL Filtering
GUI 9.x: Objects > Custom Objects > URL Category
In 9.x, the override tab has been removed
After upgrading to PAN-OS 9.0, traffic from overridden URLs matches the wrong custom URL category causing the URL traffic from allow list to get blocked
Example
- In PAN-OS 8.x, customer has *.google.com added in the Overrides section as a part of the Allow List of the URL Filtering Profile.
- The same URL (*.google.com) is also part of a Custom URL Category "Custom-Block"
- The customer has linked the custom category "Custom-Block" to the same profile with the site access set to block
Expected result with PANOS 8.x,
This URL will be allowed. Even though the same URL is included to block the site access under the custom category but Override list has precedence over custom category so the action will be allowed.
Expected result with PANOS 9.x,
This URL will be blocked. After the upgrade, the "Override List" will also become a "custom category" as you can see below. With that now the same URL (*.google.com) will be part of the two custom categories and since the both custom categories will be linked to the same profile, the one with severe action (block) will take precedence.
Resolution
Solution 1
Before upgrading to PAN-OS 9.x, please check the custom category under each URL Filtering Profile to make sure URL's are not conflicting with "Allow List" under Overrides tab.
Solution 2
To achieve a similar result as 8.x, an extra Security Policy with the new category must be added with the action as allow. This Security Policy needs to be before the current policy that is blocking the traffic. If attaching a URL profile to this "new policy", make sure to set the action on "blocked URLs" to none.
Refer to URL Filtering Custom Categories in the Upgrade Downgrade Considerations.
Additional Information
In 8.x, the override tab's allow-list/block-list takes priority over ordinary custom URL-category.
For example, add "paloaltonetworks.com/security-for" in allow-list and add "paloaltonetworks.com" in a profile blocked custom-url-category. The traffic will only be allowed to the URL paloaltonetworks.com/security-for
To achieve similar results in 9.0, an extra security policy (e.g. new-policy) with category "allowed URLs" and action as allow before the current active policy. When attaching a URL-profile to this "new-policy", make sure to set the action of "blocked URLs" to none.