Palo Alto URL Filtering with Wildcards

Palo Alto Networks firewalls provide URL filtering capabilities, which you can use to control access to websites by blocking or allowing certain URLs. To specify multiple URLs or URL patterns, you can use wildcards in your URL filtering policies.

Here are some examples of how to use wildcards in URL filtering:

  • To block or allow all subdomains on a specific domain, you can use an asterisk (*) as a wildcard. For example, `*.cordero.me` would match `www.cordero.me`, `mail.cordero.me`, `blog.cordero.me`, and so on.
  • To block or allow all URLs on a specific domain, you can use `*.cordero.me/*`. This would match any URL that starts with any subdomain of `cordero.me`, including `cordero.me` itself.
  • To block or allow specific paths across all subdomains, you could use something like `*.cordero.me/path/*`.
  • Block specific file types across all websites: If you wanted to block downloads of a specific file type across all websites, you might create a rule with a pattern like `*/*.exe`. This would block any URL ending in `.exe`, which is often used for executable files.
  • Allow a specific path on all subdomains of a website: If you wanted to allow access to a specific path on all subdomains of a website, you might use a pattern like `*.cordero.me/specificpath/*`. This would allow URLs like `www.cordero.me/specificpath/anything` and `sub.cordero.me/specificpath/anything`, but not `www.cordero.me/anotherpath/`.
  • Block a specific path on a specific subdomain of a website: If you wanted to block a specific path on a specific subdomain of a website, you might use a pattern like `sub.cordero.me/blockedpath/*`. This would block URLs like `sub.cordero.me/blockedpath/anything`, but not `www.cordero.me/blockedpath/anything`.
  • Allow access to a specific subdomain only, and block all other subdomains: You could do this by first setting a blocking rule for `*.cordero.me/*`, and then setting an allowing rule for `allowedsub.cordero.me/*`. Because Palo Alto Networks firewalls use the most specific match, this would allow access to `allowedsub.cordero.me` and block access to all other subdomains of `cordero.me`.
  • Block all websites except for specific ones: You can create a rule to block all websites by using `*` and then set up specific rules to allow the websites you want. For example, if you only wanted to allow `www.cordero.me`, you would set up an allow rule for `www.cordero.me/*` after the block all rule. This would block all websites except for `www.cordero.me`.
  • Allow specific file types on a specific domain: If you want to allow only PDF downloads from a specific domain, you might create a rule with a pattern like `www.cordero.me/*.pdf`. This would allow any URL from `www.cordero.me` ending in `.pdf`.
  • Block a specific subdomain on all domains: If you want to block a specific subdomain on all domains, you can use a pattern like `ads.*.com/*`. This would block `ads.cordero.me`, `ads.anotherexample.com`, and so on.
  • Block URLs that contain a specific word: If you want to block all URLs that contain a specific word, you can use a pattern like `*word*`. This would block any URL containing the word “word“.

Please note that the Palo Alto Networks firewall doesn’t support all types of wildcard patterns. For instance, you can’t use a wildcard to match multiple domain levels (like `*.*.cordero.me`) or to match arbitrary substrings in a URL (like `*cordero*`).

These examples should give you a good idea of the flexibility wildcards can provide in URL filtering rules. However, remember to use them judiciously and to always test your rules to ensure they’re working as expected.

Also, remember that the firewall uses the best match when applying URL filtering policies. If a URL matches multiple policies, the firewall will apply the policy that has the most specific match.

Finally, be aware that URL filtering is just one part of a comprehensive web security strategy. It should be used in combination with other security measures, like threat prevention, SSL decryption, and userbased policies.

NOTES:
A. Every domain/subdomain pattern would also match every subpage connected to these domains.
B. In PAN-OS 9.1 and 10.0, * and ^ can be used in the same configuration on the same firewall but not in 9.0 and 8.1.
C. Only when decryption is allowed for particular URLs can a filter match subpages.
cordero.me/* – matches cordero.me/word1 and cordero.me/word2
cordero.me/word. – only matches cordero.me/word