topic Re: Allowing a subnet complete internet access but logging their traffic in General Topics

Allowing a subnet complete internet access but logging their traffic

casdc1pa — Tue, 15 Jun 2010 18:49:40 GMT

Hi ya'll,

Background: We have a seperate Vlan that we call "Raw Internet" with no filtering. This is used by our helpdesk staff. Which means they have open access to Internet and nothing is being blocked.

Currently we purchased Palo Alto and I was wondering what would be the best way to do this. Meaning, giving them full access to internet yet log their traffic on Palo Alto.

Furthermore, any configuration examples would be helpful

Thank you.

Re: Allowing a subnet complete internet access but logging their traffic

swhyte — Wed, 16 Jun 2010 22:43:42 GMT

This can easily be done be doing one or both of the following:

1. create a policy that allows all applications and services specifically for those users (make sure and I identify either their names if you are using user identification or list their ips)

...you want to do this so that this allow all rule that you create does not apply to all of the other users..

On this allow all rule, make sure that you select log at session end or both log at session end and session start under the "options" section of the policy.

2. Create a url filtering profile (I suggest this because I assume you want to track/log the categorgization of the sites that they are browsing to). In that url filtering profile select ALL category actions as "alert". When you do this you are telling the paloalto device to log all of the user browsing and the site categorizations and allow them..........If you select "allow" you will only allow the sessions and not log them.

thank you,

Stephen

Re: Allowing a subnet complete internet access but logging their traffic

casdc1pa — Fri, 18 Jun 2010 21:12:26 GMT

Thank you so much. i kinda had the same idea but was'nt sure. I will get to test this config tomorrow so hopefully it goes well.