Palo Alto – URL Filtering with Service/URL Tab vs URL Filtering Profile in Security Profile

This is something that’s important when you are looking to setup your rules on a Palo Alto firewall. You need to know the difference between setting up URL Filtering on the Service/URL Tab vs setting up URL Filtering using the URL Filtering Profile within the Security Profile.

First another important thing to know is the security policy evaluation on the Palo occurs sequentially from top to bottom in the list, so traffic matching the first closest rule in the list applies to the session.

Service/URL Tab Option:
Setting the URL Category heringe makes the URL domains part of the rule match criteria. When the Palo is going through the rules looking for a match, if the session starts but the traffic is not one of those domains, this would mean the traffic is NOT a match so the firewall will continue with the rules until there’s a match or a drop at the end.

This is the type of rule you want to setup when you want specific categories for specific AD Groups. Usually what you want to do is have a base URL Filter Profile with pre-defined categories you want to allow. For ones you don’t want to allow like Online Storage and Backup, Social Networking, and Streaming Media, those are typically not allowed by default, you want to create AD Groups for those. So something like this in AD:

SEC_FW_Online-Storage-and-Backup
SEC_FW_Social_Networking
SEC_FW_Streaming_Media

After you have the AD Groups, you can now setup a rule using that category in the Service/URL tab. Place this rule above the base URL Filter Profile rule. This allows you to control who has access to that category based on AD Groups. This also works for services like Microsoft Updates, Antivirus Updates, Etc… using custom URL categories under “Custom Objects”>”URL Category”. Instead of using the category like “Social Networking”, you’ll use your custom URL Category.

One last thing, I use an “alert all” URL Filtering Profile and apply it to these rules. The URL Category in this rule will supersede the URL Filtering Profile so I’m not allowing all sites, just the ones I have listed under the “Service/URL Category” tab.

The key here is that the security rules you create allows traffic to your specific URL’s and applications but these rules by themselves do not generate URL logs. You have to have a URL Profile attached to the rule to get this. Since we know the rule will only match the categories I set under the “Service/URL Category” tab, it’s safe to have all categories set to alert. I’d rather have a URL Filtering Profile with all categories set to alert than to create one for each category. I can keep using this “alert all” URL Filtering Profile.

One last important point about the “alert all”. If you don’t use that, you need to make sure you set the action to “Alert” for the category you want to use under your URL Filter Profile. If this is “block”, it will block the traffic.

URL Filtering Profile
With this option, you are setting the URL category in the URL Filtering Profile as part of the Security Profile. This one is not part of the rule match criteria. What happens is that traffic not matching the domains you set will still be matched by either allow, alert, continue, or block which is set in your URL Filtering Profile. The firewall stops here.

Summary:
Service/URL Tab Option is match or no match. If it matches, the rules is used. If it doesn’t match, the Palo move onto the next rule.

URL Filtering Profile is not a match or not match. It will not get past this rule because it’s going to have an action tied to it for the Palo to either allow, alert, continue, or block.