After upgrading to PAN-OS 9.0, traffic from overridden URLs is matching the wrong custom URL category

After upgrading to PAN-OS 9.0, traffic from overridden URLs is matching the wrong custom URL category

17085
Created On 03/21/19 23:23 PM - Last Modified 03/27/19 23:17 PM


Symptom
  • Recently upgraded to PAN-OS 9.0
  • Traffic from overridden URLs is matching the wrong custom URL category; can cause the URL traffic from allow list to get blocked


Environment
  • Upgrade to PAN-OS 9.0
  • Panorama
  • Firewall


Cause
In PAN-OS 8.x, URLs can be configured in an allow and block list for the override tab of a URL Filtering profile

Upon upgrading from PAN-OS 8.x to 9.x, the firewall automatically migrates the override Allow list and Block list to a set of Custom URL Categories, appending “allow” and “block” respectively

GUI 8.x: Objects > Security Profiles > URL Filtering 
User-added image

GUI 9.x: Objects > Custom Objects > URL Category
User-added image

In 9.x, the override tab has been removed
User-added image

After upgrading to PAN-OS 9.0, traffic from overridden URLs matches the wrong custom URL category causing the URL traffic from allow list to get blocked


Resolution
This is a design change starting from PAN-OS 9.0.

In PAN-OS 9.0, during the migration, allow-list/block-list is changed to a custom URL category, and the priority is lost. This will cause the firewall to trigger the most severe action, which in some cases is block causing the traffic to be blocked.

To achieve similar result as 8.x, an extra security policy with the new category added with the action as allow. This security policy needs to be before the current policy that is blocking the traffic. If attaching a URL-profile to this "new-policy", make sure to set the action on "blocked URLs" to none.


Additional Information
In 8.x, the override tab's allow-list/block-list takes priority over ordinary custom URL-category.

For example, add "paloaltonetworks.com/security-for" in allow-list and add "paloaltonetworks.com" in a profile blocked custom-url-category. The traffic will only be allowed to the URL paloaltonetworks.com/security-for

To achieve similar results in 9.0, an extra security policy (e.g. new-policy) with category "allowed URLs" and action as allow before the current active policy. When attaching a URL-profile to this "new-policy", make sure to set the action of "blocked URLs" to none.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boO3CAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments