https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25935#M18913 <HTML><HEAD></HEAD><BODY><P>This is another example of why DNS names should be allowed directly in security policy <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Very simplified/compact example:</P><P></P><P>1) outbound 10.0.0.0 web-browsing update.microsoft.com allow</P><P>2) outbound 10.0.0.0 web-browsing deny logforwardprofile email alert (IPS)</P><P>3) inbound vendor.com(dynamic IP) ssh 10.0.0.0 allow</P><P></P><P>URL Filter = Rule 1 and 2 would be combined allow/deny and logforward is all traffic, not just 'monitored'. Rule 3 is not possible.</P></BODY></HTML> Wed, 26 May 2010 15:50:22 GMT nrouten 2010-05-26T15:50:22Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25931#M18909 <HTML><HEAD></HEAD><BODY><P>we've run some tests on both at client side and in our office lab.</P><P>the process for handling url fitlering will start with BLOCK list --&gt; ALLOW list --&gt; URL Category</P><P>the logic of it is quite understandable, however, the problem lies with BrightCloud DB. Is it good enough to filter out all the web sites if we were going to "block" all web surfings. If not, using wildcard at BLOCK list will be the best idea, but will this also create problems from those applications that requires "web-browsing" to be allow??</P></BODY></HTML> Mon, 03 May 2010 21:46:36 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25931#M18909 migration 2010-05-03T21:46:36Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25932#M18910 <HTML><HEAD></HEAD><BODY><P>Best practice would be to filter based on Bright Cloud&nbsp; categories overall and then use the Block/allow filters for exceptions to those categories - not to handle the brunt of blocking for your web traffic.&nbsp;&nbsp; You can add web-browsing to the application allow list for those applications that are dependant on web-browsing.</P></BODY></HTML> Tue, 04 May 2010 00:27:57 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25932#M18910 nrice 2010-05-04T00:27:57Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25933#M18911 <HTML><HEAD></HEAD><BODY><P>another extend to this question would be also be related to if user did not purchase URL filtering license. How is it possible to block the web-surfings? ex. MS-UPDATES needs to have web-browsing enabled, but users are not allowed to surf any web sites...and without having the URL filtering enabled, how can it be controlled?</P></BODY></HTML> Tue, 04 May 2010 16:42:40 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25933#M18911 migration 2010-05-04T16:42:40Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25934#M18912 <HTML><HEAD></HEAD><BODY><P>There wouldn't be a way to block web-browsing for all users and allow an application based on web-browsing for those same users.&nbsp;&nbsp; You'd have to filter based on users who are completely denied web-browsing and those who are allowed web-browsing and ms-updates.</P></BODY></HTML> Tue, 04 May 2010 23:25:29 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25934#M18912 nrice 2010-05-04T23:25:29Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25935#M18913 <HTML><HEAD></HEAD><BODY><P>This is another example of why DNS names should be allowed directly in security policy <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Very simplified/compact example:</P><P></P><P>1) outbound 10.0.0.0 web-browsing update.microsoft.com allow</P><P>2) outbound 10.0.0.0 web-browsing deny logforwardprofile email alert (IPS)</P><P>3) inbound vendor.com(dynamic IP) ssh 10.0.0.0 allow</P><P></P><P>URL Filter = Rule 1 and 2 would be combined allow/deny and logforward is all traffic, not just 'monitored'. Rule 3 is not possible.</P></BODY></HTML> Wed, 26 May 2010 15:50:22 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-process-order/m-p/25935#M18913 nrouten 2010-05-26T15:50:22Z