https://live.paloaltonetworks.com/t5/general-topics/policies-security-rule-shadowed-by-2nd-rule/m-p/38567#M28261 <HTML><HEAD></HEAD><BODY><P>Much like an access list on a cisco router top to bottom. I recently created 2 rules for our 3rd party ISP to connect internet sticks via our firewall.</P><P></P><P>1st rule - Allow all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Allow), No profile type.</P><P>2nd rule - Deny all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Deny)&nbsp; Profiles Type "Profile", URL Filtering (VPN use only) which has allowed sites and blocked sites that I created.</P><P></P><P>However, when I commit the rules, I get an message "Security Policy: Rule Telus Internet Allowed urls" shadows rule "Telus Internet disallowed urls".</P><P>I'm not certain which to change. Any ideas?</P><P></P><P>Rob</P></BODY></HTML> Tue, 13 Nov 2012 15:49:39 GMT robert_smith 2012-11-13T15:49:39Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-rule-shadowed-by-2nd-rule/m-p/38567#M28261 <HTML><HEAD></HEAD><BODY><P>Much like an access list on a cisco router top to bottom. I recently created 2 rules for our 3rd party ISP to connect internet sticks via our firewall.</P><P></P><P>1st rule - Allow all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Allow), No profile type.</P><P>2nd rule - Deny all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Deny)&nbsp; Profiles Type "Profile", URL Filtering (VPN use only) which has allowed sites and blocked sites that I created.</P><P></P><P>However, when I commit the rules, I get an message "Security Policy: Rule Telus Internet Allowed urls" shadows rule "Telus Internet disallowed urls".</P><P>I'm not certain which to change. Any ideas?</P><P></P><P>Rob</P></BODY></HTML> Tue, 13 Nov 2012 15:49:39 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-rule-shadowed-by-2nd-rule/m-p/38567#M28261 robert_smith 2012-11-13T15:49:39Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-rule-shadowed-by-2nd-rule/m-p/38568#M28262 <HTML><HEAD></HEAD><BODY><P>What about this?</P><P></P><P>1)</P><P>srczone: Trust VPN</P><P>srcip: telus</P><P>dstzone: any</P><P>dstip: any</P><P>profile: URL Filtering (VPN use only)</P><P>options: log on session end</P><P>action: allow</P><P></P><P>2)</P><P>srczone: any</P><P>srcip: any</P><P>dstzone: any</P><P>dstip: any</P><P>profile: none</P><P>options: log on session end</P><P>action: deny</P><P></P><P>The thing is that your "allow" (which you see in the security policy) is based on ip header while url filtering profile takes care of what you will allow/block based on url.</P><P></P><P>However, if I recall correctly, another method is to only have allowed urls in your URL filter profile and let the default deny in the bottom take care of the blocking.</P><P></P><P>Like so:</P><P></P><P>1)</P><P>srczone: Trust VPN</P><P>srcip: telus</P><P>dstzone: any</P><P>dstip: any</P><P>profile: URL Filtering (Allowed for VPN)</P><P>options: log on session end</P><P>action: allow</P><P></P><P>2)</P><P>srczone: any</P><P>srcip: any</P><P>dstzone: any</P><P>dstip: any</P><P>profile: none</P><P>options: log on session end</P><P>action: deny</P></BODY></HTML> Wed, 14 Nov 2012 09:02:17 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-rule-shadowed-by-2nd-rule/m-p/38568#M28262 mikand 2012-11-14T09:02:17Z