Setting up rules on a Palo Alto firewall requires a clear understanding of URL Filtering, especially when comparing the Service/URL Tab and the URL Filtering Profile within the Security Profile. The two serve different purposes, and their application hinges on the nature of your network traffic and organizational needs.
Before we delve into the differences, it’s crucial to understand that security policy evaluation on a Palo Alto firewall occurs sequentially, from top to bottom. The first rule that traffic matches will be applied to the session.
Service/URL Tab Option
When you set the URL Category in the Service/URL tab, the URL domains become part of the rule match criteria. The firewall will scan through the rules, and if a session starts, but the traffic isn’t from one of those domains, the firewall will continue with the rules until it finds a match or reaches a drop at the end.
This approach is ideal for setting up specific categories for specific Active Directory (AD) Groups. A typical workflow involves creating a base URL Filter Profile with predefined categories to allow. You’d create specific AD Groups for categories like Online Storage and Backup, Social Networking, and Streaming Media, which are typically disallowed.
For instance:
SEC_FW_Online-Storage-and-Backup SEC_FW_Social_Networking SEC_FW_Streaming_Media
Once the AD Groups are set, you can establish a rule using the Service/URL tab category, placing it above the base URL Filter Profile rule. This grants you control over access to the category based on AD Groups.
Lastly, I recommend using an “alert all” URL Filtering Profile and applying it to these rules. This allows you to generate URL logs, even though the security rules don’t inherently do this. However, remember to set the action to “Alert” for your category under your URL Filter Profile; otherwise, the traffic will be blocked.
URL Filtering Profile
In contrast, the URL Filtering Profile is part of the Security Profile and doesn’t form part of the rule match criteria. Even if traffic doesn’t match the domains you’ve set, the firewall will still match it based on the allow, alert, continue, or block actions set in your URL Filtering Profile.
Summary
In summary, the Service/URL Tab option and the URL Filtering Profile serve different purposes. The former operates on a match or no-match basis—if it matches, the rule is applied, and if it doesn’t, the firewall moves on to the next rule. On the other hand, the URL Filtering Profile doesn’t operate on a match or no match basis; regardless, it will assign an action (allow, alert, continue, or block) to the traffic, and it won’t get past this rule.
Understanding these nuances can help you configure your Palo Alto firewall in a way that best serves your network security needs.