Palo Alto: Making URL Exceptions To Your URL-Filtering Security Profiles
- Determine the status and category of the blocked page
- Add the blocked web page to a custom URL Category (exception list)
- Set the URL Category to a custom URL-Filtering security profile
- Apply the custom URL Security profile to a firewall rule
- Set a date to check on the URL category and revert exceptions if status has changed
When an end-user reports that a webpage they are attempting to access is being blocked, the first step is to check the current category of the webpage. To do so, use the following resources: Virus Total and Palo Alto URL Test Page. If the webpage is listed by Palo Alto as one of the categories blocked by the UW-Madison profile in use: malware, phishing or command and control, but the webpage is known, trusted to be legitimate and comes back with a low score on VirusTotal, the Palo Alto test page has the option to request a re-categorization.
The exception URL will be added as a site in the new custom category by clicking "Add" as displayed here:
If the Security rule blocking the end-user is using a globally assigned URL-Filtering security profile, i.e. UW-Default or Security-Baseline-URL. The specific URL-Filtering profile will need to be "cloned" as the global profiles are not editable. (See clone button in image below)
Once the profile has been cloned set the new URL Category to allow.
Now that the Security Profile is available with the URL Exception it needs to be applied to a rule that matches the end-user traffic in order to be active.
Create a new rule, above the rule blocking the original attempt, with the new security profile. An example rule can be found below.
Once the new security profile has been applied to the new rule, click commit at the upper right and commit the changes made by you.
