Allow Access To Certain URLs Matching A Blocked URL Category - Knowledge Base - Palo Alto Networks

Allow Access To Certain URLs Matching A Blocked URL Category

51217

Created On 02/13/21 02:15 AM - Last Modified 02/05/25 22:23 PM

Custom URL

Decryption Policy

Response Page

Security Policy

Decryption

Deployment

URL Filtering

Hardware

PAN-OS

VM-Series

Symptom

Assuming the URL category 'news' is being blocked by URL filtering. However, there is a business need to allow the URL reddit.com/r/paloaltonetworks but this is also being blocked.

Blocked page

Environment

All versions of PAN-OS
URL filtering profile in security policy
Decryption is enabled

Cause

There is currently no way of achieving this through URL filtering because filtering on predefined categories is all-or-nothing. The traffic matches a policy that has a filter for blocking 'news' sites:

Policies --> Security --> Name --> Actions:

Security policy

Resolution

Create a custom URL object.

Objects --> URL Category --> Add:

Custom URL objects

Create a new security policy and add this object to the Service/URL Category tab of the security policy. This security rule must be placed above the existing policy.

Policies --> Security --> Name --> Service/URL category:

Commit the change.

Users should now be able to access the allowed URL:

webpage

Additional Information

This article assumes that the reader is familiar with URL filtering and SSL decryption.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)