https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47415#M34861 <HTML><HEAD></HEAD><BODY><P class="MsoNormal"><SPAN>I have a query regarding multiple rules to allow access to URL whitelists.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>Let’s say I have rule1 that allows “any” on my LAN to a URL profile that blocks everything but only allows access to url1.com.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>I then want to have rule2 that only allows “some servers” access to only url2.com.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>The problem is that the URL filtering profile on the first rule stops the request for url2.com from ever reaching the rule that allows it.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>Seems a simple enough thing to want to do so I must be missing a step/technique in how I'm doing it?</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal">Thanks.</P></BODY></HTML> Fri, 02 Apr 2010 08:02:24 GMT networkadmin 2010-04-02T08:02:24Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47415#M34861 <HTML><HEAD></HEAD><BODY><P class="MsoNormal"><SPAN>I have a query regarding multiple rules to allow access to URL whitelists.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>Let’s say I have rule1 that allows “any” on my LAN to a URL profile that blocks everything but only allows access to url1.com.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>I then want to have rule2 that only allows “some servers” access to only url2.com.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>The problem is that the URL filtering profile on the first rule stops the request for url2.com from ever reaching the rule that allows it.</SPAN></P><P class="MsoNormal"><SPAN> </SPAN></P><P class="MsoNormal"><SPAN>Seems a simple enough thing to want to do so I must be missing a step/technique in how I'm doing it?</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal">Thanks.</P></BODY></HTML> Fri, 02 Apr 2010 08:02:24 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47415#M34861 networkadmin 2010-04-02T08:02:24Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47416#M34862 <HTML><HEAD></HEAD><BODY><P>I believe the simplest solution would be to reverse the order of the rules so that "some servers" hit their rule first and then add url1.com to the URL filtering profile so that "some servers" have access to both url2.com and url1.com.</P><P></P><P>Mike</P></BODY></HTML> Fri, 02 Apr 2010 14:39:09 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47416#M34862 mjacobsen 2010-04-02T14:39:09Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47417#M34863 <HTML><HEAD></HEAD><BODY><P>Thanks Mike, I guess that would work though it's not ideal as it means maintaining two sets of overlapping URL profiles (AFAIK you can't "group" URL profiles can you?).</P><P></P><P>Are there any plans to bring in an option to have allow lists where if the URL is not on the allow list the request simply drops through to the next rule?</P></BODY></HTML> Fri, 02 Apr 2010 15:53:07 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47417#M34863 networkadmin 2010-04-02T15:53:07Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47418#M34864 <HTML><HEAD></HEAD><BODY><P>Understand the complexity. The custom URL categories feature in 3.1 should simplify this a bit as you could keep the profiles static and simply add the URLs to the custom categories and they would get picked up by the necessary profiles automatically. We don't have plans to allow traffic to drop through to a secondary rule.</P><P></P><P>Mike</P></BODY></HTML> Fri, 02 Apr 2010 17:04:09 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47418#M34864 mjacobsen 2010-04-02T17:04:09Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47419#M34865 <HTML><HEAD></HEAD><BODY><P>Ahhh OK, so instead of multiple URL profiles that serve only to have an allow list, you create a URL category called "ms-update sites" or "global whitelist" and set those to allow on the URL profiles instead of duplicating/overlapping the URLs in the "allow" box?</P><P></P><P>I think that would make things a bit simpler to manage so I'll look at the documentation/PanOS manual.</P><P></P><P>Presumably 3.1 is considered stable/production ready?&nbsp; I ask as whilst I believe 3.0.8 is more "mature" I'm unsure quite what you'd consider the deciding factor between whether to deploy 3.0.8 or jump to 3.1 (we're on 3.0.6 right now)?</P><P></P><P>Thanks.</P></BODY></HTML> Fri, 02 Apr 2010 17:41:39 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47419#M34865 networkadmin 2010-04-02T17:41:39Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47420#M34866 <HTML><HEAD></HEAD><BODY><P>Yes. You get the approach. </P><P></P><P>As far as 3.0 vs. 3.1, that is a decision you will need to make. As Nancy pointed out, if you don't need features of a new release, it is generally safer to stick with what has been shipping for a while. That said, I always want the new features! <SPAN __jive_emoticon_name="happy"></SPAN> We will absolutely stand behind 3.1 as a release you can use in deployment. We have many customers that have already upgraded and I expect many more will in the near future. There may be bumps along the way, and early adopters may run into more of those than if they would have waited. At the end of the day, we will continue to push the envelope of innovation with new releases and may introduce bugs along the way. We do our best to avoid that and our excellent support team will help to work through them quickly if they do occur. We will continue to support both the aggressive and conservative customers. While I am aggressive and would go with the latest, you need to do what you feel fits your comfort level.</P><P></P><P>Mike</P></BODY></HTML> Fri, 02 Apr 2010 17:56:09 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47420#M34866 mjacobsen 2010-04-02T17:56:09Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47421#M34867 <HTML><HEAD></HEAD><BODY><P>Brilliant thanks Mike, I may wait for 3.1.1 (or the first "bugfix" release) but sounds like a plan.</P></BODY></HTML> Wed, 07 Apr 2010 12:53:00 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47421#M34867 networkadmin 2010-04-07T12:53:00Z https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47422#M34868 <HTML><HEAD></HEAD><BODY><P>we are trying to setup category filtering where users can be part of multiple groups.</P><P>It will be nice to have an ability to customize URL profiles so you can add/remove specific category for specific group so&nbsp; it only matches selected category including custom category, that way it will move on to next firewall rule. Looks like only way you can accomplish is by specifying application and not choosing URL profile.</P></BODY></HTML> Mon, 07 Nov 2011 13:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-policies-that-use-url-allow-lists/m-p/47422#M34868 apat750 2011-11-07T13:56:57Z