How to configure URL Filtering on a Palo Alto Networks Firewall | PAN-OS 9.1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys welcome to mb tech talking my name is matt so in this video i'm going to show you how i configure a basic url filtering profile so that you can safely enable a web access policy and apply to your security policy rules i'm going to be doing all this using a vm series palo alto next generation firewall inside of vmware workstation okay so for those of you who don't know what url filtering is it's used to categorize websites by content type and malicious activity when url filtering is enabled all web traffic is checked against palo alto network's url filtering database called pandb pandb contains millions of websites that have been categorized these url categories can be used as a match criteria in your security policies but more importantly prevents users from browsing malicious urls exploited web pages and watering holes where legitimate sites become compromised using url filtering and app id together is an invaluable tool for securing web traffic so now we know a little bit about url filtering how does it actually work on the firewall well when a user accesses a url that they've not visited before the firewall checks pan db for the site's category and saves it in the firewalls cache as the file saves new entries any old urls that have not been accessed recently are then removed this provides an accurate reflection of the traffic within the network so when the firewall checks pan db4 url it also looks for critical updates such as urls that have previously qualified as benign but are now malicious every 30 minutes the firewall checks pandibi for such updates okay so let me share some information about euro categories at the time of recording there are 72 euro categories that's just too many to discuss individually on the video however i recommend visiting this palo alto knowledgebase article on this page you'll find a list of url categories with a detailed description and example websites for each of the categories another invaluable website is the palo alto tester site page which you can find at the top of this knowledge base so if you click on this link this takes you to url filtering dot palo alto networks dot com and from here you can test how pan db categorize a given url so let's check it out let's use brian krebs's website so krebsecurity.com so if we pop the the url in here and click i'm not a robot and then click search and as you can see the category is computer and internet info and it's also categorizes low risk it also provides a description of the website and other example websites that are in the same category i'll put both these palo alto website links in the description okay so just a quick reminder of the lab topology before we jump into this lab this diagram is based on my palo alto firewall lab using vmware workstation video if you haven't watched it yet i strongly suggest watching it asap so you can follow along in labs just like this one okay so to get you up to speed you may have heard iron skillet being mentioned in my signature based security profiles video so in summary iron skillet templates are used to configure next generation firewalls based on existing best practice recommendations from palo alto networks with regards to url filtering iron skillet only blocks no malicious categories and not high-risk categories such as copyright infringement so in this lab i'm going to use best practice recommendation from palo alto networks and block the following categories so that's going to be malware command and control phishing and greyware however this being said you can change which categories you want to block to align with your web browsing policy okay so i've logged into the file so let's get started by going to the objects tab and then down to security profiles and then url filtering and what we're going to do is clone this predefined default url filtering profile by highlighting it and then clicking clone and then click ok then we're going to rename this to outbound url because this is going to be for outbound web browsing next thing we're going to do is we're going to go over to the site access column and click the down arrow and then we're going to do set all actions to alert and we're going to do the same for user credential submissions by going to set all credential submission actions to alert then we're going to search for malware and we're going to change that to block and the same for the user credential submission and then we're going to do the same for command and control so block block phishing block and block and then finally grayware block unblock and now we can click ok so you can see that there are now 68 alert categories so these any traffic that matches any of these alert categories will be logged in the url filtering logs and then we've got the four block categories so malware command and control fission and grayware okay so at this point we've configured the iron skillet best practices um block categories but to take this a little bit further i would like to demonstrate um by blocking two additional categories and this way it's easier to show you how effective this is when browsing to particular sites so if we go back into outband url and what we're going to do is we're going to look for hacking and we're going to block upon that category on both columns and also we're going to block gambling as i said it's it's easier to demonstrate instead of trying to go to a malicious psy or gray website we can just block on these categories test um on the windows 10 client and then we can then verify it so let's just click ok on that and we can do some testing additionally i'm going to create three custom url categories which can be used in security rules and url profiles so this time we're going to go to custom objects and we're going to choose url category and then we're going to create three new placeholders so this is going to be blacklist and that's a url list and click ok then we're going to add whitelist and click ok and then for future use we're going to use custom no decrypt and then click ok ok before we add the url filtering profile to the security profile group and to the security policy let's just check web access from the windows 10 lab client so let's go to i know let's try bbc.co.uk to start with bbc and then just click on yep so we we know that we can get to the bbc website um let's try um we're going to do kali linux website which is kali.org so kali linux let's put that one in can we get to that yes we can no problem and then finally let's let's try um a gambling website as well which let's try sky bet so let's see so this is an online betting website and we can access that as well so this is expected we can browse the sites and now we can go back to the firewall and check the logs before we look at the logs let's just quickly review the policy so we've got a general internet access policy allowing dns google based ssl and web browsing so if we click the drop down and go to log viewer it will filter on just this rule and as you can see we've got general internet access traffic so and that that's the traffic that we tested the sites on if we go to the url filtering log you can see that we've got no logs because we've got no url filtering profile attached to the policy so if we take a look at this this profile here is called outband so this is the outbound security profile group and if we go to the object which is the skid profile group here and we go to outband you can see that we've got no url filtering profile currently attached to this profile okay so let's move on to the next step we're going to add the url filtering profile to the security profile group called outbound so we're already in object and we're going to click on outband and we're going to simply click the arrow for the drop down and we're going to create the outbound url and then click ok so we already know that the outbound security profile group is attached to the security profile rule so we're just going to commit the change and then we're going to test again from the windows 10 client and then see what the outcome is and take a look at the logs okay so now we're ready to do some testing i'm over at the windows 10 lab client let's open up a browser and let's go to uh bbc.co.uk so we can access that fine um what about kali.org so www.cali.org unable to access that site and what about um sky bet so if i click on that original link i can't get to sky bet either so let's go and take a look at the logs on the firewall so let's go to the monitor tab and we're going to go straight into the url filtering logs here and as you can see the logs are now starting to come through because we've added that security profile to that security profile group which is attached to that general internet browsing policy so the first site we went to was bbc we saw that web page so we don't need to worry about that we know that's working it wasn't blocked but let's take a look at let's take a look for the kali um kali.org website um which is down here and as you can see the category is hacking and the action was block url so we can go in there by click on the magnifying glass and we can expand that window and all the information general information is here so action block url the application was ssl the rule was general internet access and the category was hacking down here is our two logs so we've got our traffic log which is the ssl allowed traffic and then also the url log which is the block url so we can close that and if we take a look at the um sky bet which was this one here this was category gambling again we blocked that um you can see it's block url and again if we open up by click on the magnifying glass and expanding the window and we've got the information again so the action was block url it was the general internet access rule again but this time the category was gambling and then the two logs so that's worked so we block those two additional categories we can do some further testing so let's go and take a look at that now so just to summarize we are currently blocking the four iron skillet url categories malware commanding control phishing and grayware and then we have two additional categories gambling and hacking that i've added for testing purposes so using the custom categories that i created earlier the black and white list i'm going to add bbc.co.uk to the blacklist and block access even though it's categorized as news which is normally allowed and then i'm going to add both kali.org and sky bets to the white list which will be configured to allow essentially i'm creating url fields and exceptions so let's do that now okay so first of all let's open up blacklist and we're gonna add star.bbc.co.uk the star is a wild card it will match anything before the bbc.co.uk so it could be http or https for instance so let's click ok on that and then let's open up the whitelist and we're going to add star dot kali dot org and also the sky bet site which is star dot m dot skybet dot com and then click ok so now we go to our url filtering profile and we open up outbound url and you can see we've got these two custom url categories listed here so ignoring the custom node decrypt that's for a future video but the blacklist so what we're going to do on here is we're going to change that to block and then the whitelist we're going to set that to alert to make sure it's allowed and also going to generate a log for the allowed traffic and then click ok and then commit so once that's committed we can go back to the windows 10 clients and retest the access to those websites and take a look at the outcome okay so we're now over at the windows 10 lab client so let's just test access to those three websites that we previously tested so let's go to bbc originally this was accessible so now we can't get to bbc.uk because that's been added to the blacklist um let's try kalikali.org now we can get to cali.org but originally that was categorized as hacking but we've added this to the white list so this is now allowed and then finally let's go to um the sky bet so the gambling site so sky bet and we're going to click on this and this isn't working which is strange so what we need to do is just troubleshoot that maybe a little bit more behind how this website works so let's go back to the firewall and take a look look at the logs and see if we can work out why we can't get to this site still okay so we're back on the firewall let's go to the monitor tab let's take a look at the url filtering logs so okay so we can still see some block urls so what is actually causing this so it looks like there are multiple urls being used to serve that web page so you can see the m.skybet.com but you can also see bet.sbgcdn.com so what we're going to need to do is um is adjust the uh white list for these these urls and add this other additional one to it so let me just click on let me just open up the magnifying glass and let's have a look at the information so there's the url there if i click those little three dots i should be able to copy and paste those so i'm going to go back to the objects and i'm going to go into our white list i'm just going to adjust this one i'm just going to have it so it's star dot skybet.com and then i'm going to add star dot i'm going to just add the spgcdn.com without the slash on the end so i'm allowing anything before those those domains those urls so i'm going to click ok and then i'm going to commit that change and then we can go back to the windows 10 lab client and then we can retest to see if that's resolved the issue okay so we're back on the windows 10 lab client let's open up a browser and let's go to bbc dot co dot uk okay so we know that site was blocked because it was added to the blacklist let's go to kali.org so this is now allowed even though this was categorized as hacking and it was blocked originally we've added this to the white list so that's working so finally we go to sky bet this one was being a bit problem problematic uh let's click on that okay so this is now working so this one was a bit tricky to get working so there was actually two urls that we needed to add to the white list to get the full function for functionality of the site um so that's good so that is the right outcome that's been a successful lab let's go back to the file once more review the logs and wrap this up okay so we're back over the firewall before we review the logs again let's go into objects and let's go into the url filtering profile and let's go to the outbound url profile that we created so we added the blacklist and we've added the whitelist so just to make it clear that these sit above the normal predefined categories and these are process first that's why when you add a url that is um in the uh allow categories and you block it it's going to be processed top down and it's the same for the white list so this is how it's how the firewall processes these custom url categories come before the predefined categories so we go back to the monitor tab and look at the url filtering if we look for the whitelist category and we filter logs on that you can see that skybet and kali org have been added to the whitelist category normally both of these would be blocked so skybet will be categorized as betting and kaliorg would be categorized as hacking but we had a requirement to make an exception so we added them to the whitelist which allowed us to browse them and then in reverse we created a a black list so if we search for blacklist and then we filter logs on that you can see we added bbc.co.uk to the blacklist and blacklist is um blocked even though bbc.co.uk would be categorized as news and the predefined categories would allow that again we've made an exception and we put this in the blacklist which is blocked so this has been an interesting lab um i hope you found it um interesting and useful but that's the end of it and i will see you on the next one okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto viral features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas of video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks
Info
Channel: MB Tech Talker
Views: 1,452
Rating: undefined out of 5
Keywords: palo alto networks, pan firewall, url filtering palo alto, pan-os, pan-os palo alto, palo alto firewall url filtering
Id: 6NsiCcSMCoI
Channel Id: undefined
Length: 22min 24sec (1344 seconds)
Published: Thu Apr 22 2021
Related Videos
Decrypting Decryption (Episode 24) Learning Happy Hour
Palo Alto Networks LIVEcommunity
9.3K
What is a Web Application Firewall (WAF)?
F5 DevCentral
144K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Creating Security Policies in Palo Alto
Ed Goad
2.8K
Palo Alto URL Filtering
Ed Goad
3.3K
How to configure Palo Alto Networks Wildfire Analysis | PAN-OS 9.1
MB Tech Talker
340
Configuring SSL/TLS decryption on the Palo Alto
Ed Goad
5K
Upgrading the Palo Alto OS
Ed Goad
2.4K
How to schedule PAN-OS Dynamic Updates
MB Tech Talker
118
$250 Slab To $7700 Table
Blacktail Studio
3.6M
Palo Alto Lesson: 3.5 LAB: Security and NAT Policies
Astrit Krasniqi
2.3K
Palo Alto Networks- DNS Sinkhole
Jeff Talkington
25K
Let's Talk About Palo Alto - Source NAT for Internet Access
Rob Riker's Tech Channel
1.2K
How to Configure Automatic User Certificate Enrolment in Windows Server 2016/2019
MB Tech Talker
79
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.