https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39822#M29204 <HTML><HEAD></HEAD><BODY><P>If you are pulling AD groups via LDAP into the firewall, you can setup the following:</P><P></P><P>Policy 1:</P><P></P><P>Source user : specific user-group/users that can download from some URL's </P><P>Source IP: ANY. If there are no AD groups being pulled, specific source IP's of clients need to be specified.</P><P>URL category : ANY</P><P>Profiles: Reference the URL filtering profile with the custom category containing the URL's that can be accessed.</P><P></P><P>Policy 2:</P><P></P><P>Strict with all restrictions.</P></BODY></HTML> Wed, 01 May 2013 05:54:34 GMT mvenkatesan 2013-05-01T05:54:34Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39817#M29199 <HTML><HEAD></HEAD><BODY><P>Just implemented a 3020 and have many Engineers looking to download EXE, ZIPs and ftp to sites all over the place.&nbsp; I am looking to allow them to use these services to certain URLs only.&nbsp; i have tried to create a custom URL list and File Transfer group but the problem i am having is created a rule that allows access to certain sites but not allowing too much.&nbsp; trying to make it as strict as possible.&nbsp; i would like my other security policies to be the default and to be in effect for them if they are not going to certain URLs stated above.&nbsp; anyone have any suggestions?&nbsp; anyone done this before?</P></BODY></HTML> Tue, 30 Apr 2013 17:51:59 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39817#M29199 gkauno 2013-04-30T17:51:59Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39818#M29200 <HTML><HEAD></HEAD><BODY><P>Policy 1:- Strict with all the url restrictions.</P><P>Policy 2 below policy 1:- default one with urls that are not stated above.</P></BODY></HTML> Tue, 30 Apr 2013 18:30:58 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39818#M29200 sraghunandan 2013-04-30T18:30:58Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39819#M29201 <HTML><HEAD></HEAD><BODY><P>i am fairly new Palo Alto but if the users are blocked by the Strict URL restrictions above in the policy #1 then how would the traffic get to Policy #2?</P></BODY></HTML> Tue, 30 Apr 2013 19:20:57 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39819#M29201 gkauno 2013-04-30T19:20:57Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39820#M29202 <HTML><HEAD></HEAD><BODY><P>Can you give us an example of what you are trying to achieve that will give me a fair idea.</P></BODY></HTML> Tue, 30 Apr 2013 19:25:12 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39820#M29202 sraghunandan 2013-04-30T19:25:12Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39821#M29203 <HTML><HEAD></HEAD><BODY><P>i have a security policy in place that blocks all FTP, EXE, zip files amongst other things <BR />using the File Blocking Profile.&nbsp; i need certain users to bypass this 'file blocking' when they are tyring to hit certain URL's.&nbsp; I thought there should be a way to put a rule ahead of this that would state if you are trying to hit a certain URL (By name) and you are trying to download or upload EXE, ZIP types of files then it would be okay.&nbsp; kind of like a whitelist.&nbsp; the SOURCE and DESTINATION only allow for IP/IPranges.&nbsp; the Service/URL category lets me choose my custom URL list but it wont take effect as it is not meant for that i have been told.&nbsp; so it would have to be a special policy that allows those certain URLs, but not all URLs for those certain file types. </P></BODY></HTML> Tue, 30 Apr 2013 19:44:26 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39821#M29203 gkauno 2013-04-30T19:44:26Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39822#M29204 <HTML><HEAD></HEAD><BODY><P>If you are pulling AD groups via LDAP into the firewall, you can setup the following:</P><P></P><P>Policy 1:</P><P></P><P>Source user : specific user-group/users that can download from some URL's </P><P>Source IP: ANY. If there are no AD groups being pulled, specific source IP's of clients need to be specified.</P><P>URL category : ANY</P><P>Profiles: Reference the URL filtering profile with the custom category containing the URL's that can be accessed.</P><P></P><P>Policy 2:</P><P></P><P>Strict with all restrictions.</P></BODY></HTML> Wed, 01 May 2013 05:54:34 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-rule-to-allow-users-to-download-from-certain-url/m-p/39822#M29204 mvenkatesan 2013-05-01T05:54:34Z