topic Re: Custom URL category issue in General Topics

Custom URL category issue

BruceBennett — Wed, 31 Aug 2022 22:34:06 GMT

I have read through a number of URL category issues, but I just cannot find something like this and I am baffled so far. I have two users, inside and outside, that access a certain internal webserver. What I am trying to do is the following.

outside:

allow: a.b.com/sites/outside and a.b.com/sites/common

block: a.b.com (the rest of the site)

inside:

allow: a.b.com (the rest of the site), including a.b.com/sites/inside and a.b.com/sites/common (I know they are part of the shorter domain entry)

block: a.b.com/sites/outside

Every time I add the root of the site to the custom categories it messes everything else up that is in place and outside is blocked to everything and inside is allowed access to a.b.com/sites/outside. It is like adding in the root overrides everything and the more detailed entries are ignored.

Where I am right now: I am blocking all other categories as they are not necessary as this is pointing to an inside server. I have four custom categories that I am trying in various combinations to resolve this.

cat-outside (a.b.com/sites/outside)

cat-inside (a.b.com/sites/inside)

cat-common (a.b.com/sites/common)

cat-site (a.b.com)

When I delete cat-site, I am getting a good block and allow for the extended URI entries and both users can also access the root, a.b.com/. When I add in a block for outside for the cat-site, outside loses access to common and outside. It appears that cat-site is overriding the other custom categories. Same experience for inside, I add cat-site allow, and it now has access to outside.

Is there anyway to prioritize the category with more descriptive entries over the more generic?

Re: Custom URL category issue

OtakarKlier — Thu, 01 Sep 2022 15:39:33 GMT

Hello,

I know this is probably not what you want to hear, but URL filtering inbound is not a great solution. Any chance they can VPN in? Also verify that the different categories are not in the same Policy and the policies are configured correctly.

Good luck.

Re: Custom URL category issue

BPry — Thu, 01 Sep 2022 18:46:34 GMT

@BruceBennett,

Seconding @OtakarKlier, but I'll also offer the option of creating a custom threat signature that you could use and apply to each subset. I'm actually not a fan of using the firewall for stuff like this. A load balancer like NGINX can do stuff like this easily and would be a more appropriate solution.

Re: Custom URL category issue

BruceBennett — Thu, 08 Sep 2022 03:00:55 GMT

@BPry & @OtakarKlier I agree completely, thank you for the replies.

All of the users are internal to the company, we are just trying to restrict the access based on the different locations they are in on the network. The inside and outside references are to a secure vlan (inside) and normal user (outside). The different URI locations are for transferring files in and out of the secure environment.

I think I would have ended up with a novel trying to explain that without your statement referring to the inbound URL filtering. I had not even thought of it as inbound filtering, I was looking at it all from the users side. The only thing that is causing me issues, right now, is trying to block access to the rest of the site and only allowing access to the specific URIs.