https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66715#M39298 <P>The firewall is a security tool. &nbsp;We should be first asking what's important...What's critical to have. &nbsp;It's annoying that everytime I'm on a TAC call I usually get the "you really shouldn't log on session start" comment.</P> <P>&nbsp;</P> <P>The problem with not logging on session start is you're only notified when the session has ended (obvious.) &nbsp;The problem with saying "only use it for troubleshooting" is how do you troubleshoot something in the past?</P> <P>&nbsp;</P> <P>Say for instance an FTP session, that session could be open for minutes, hours, or even days. &nbsp;You'd never be notified about that traffic until the session was closed.</P> <P>&nbsp;</P> <P>Every one of my rules logs session start. &nbsp;Over 20k user network and we generate about 3 million logs a day. &nbsp;Our Panorama has 2TB of storage and we just shy of 2 months of on box retention.</P> Fri, 16 Oct 2015 12:53:17 GMT Brandon_Wertz 2015-10-16T12:53:17Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66698#M39286 <P>Hi,</P> <P>I have very big problem with my firewall. I have&nbsp;a few URL filtering rules which I block some of sites.&nbsp;</P> <P>Example:</P> <P>1. Allow social network(linkedin)&nbsp;block youtube -&gt; name AllowSN</P> <P>2. Allow youtube block social network(linkedin) -&gt; name AllowYT</P> <P>3 and so on</P> <P>&nbsp;</P> <P>And I create for this URL filtering policies where specific users(by ldap) can access to specif sites.</P> <P>&nbsp;</P> <P>Example:</P> <P>1. AD group allow_yt -&gt; url filtering AllowYT</P> <P>2. AD group allow_sn -&gt; url filtering AllowSN</P> <P>&nbsp;</P> <P>And I have users who is in all of this groups(allow_yt,allow_sn). In this hierarchy they can access to YT but not social network but when I change policies order they can get to SN but not to YT <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>Can someone provide information How can I improve my policies that users which are in both group can access to&nbsp;YT and social network?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for help.</P> Fri, 16 Oct 2015 06:51:12 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66698#M39286 ITBT 2015-10-16T06:51:12Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66699#M39287 <P>Hi</P> <P>&nbsp;</P> <P><SPAN style="line-height: 20px;">the security policy will be processed from the top to bottom and once a positive match (source+destination+source user/group+application/port) is made, the security policy will be applied and any subsequent rules are not checked</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>so what you could try is to create a rule at the top that allows application youtube for the youtube group, then add the rule that allows youtube URL filtering below and then social networking</P> <P>&nbsp;</P> <P>1. AD group allow_yt &nbsp;-&gt;&nbsp;application YouTube, NO url filtering</P> <P><SPAN style="line-height: 20px;">2. AD group allow_yt -&gt; url filtering AllowYT</SPAN></P> <P>3. AD group allow_sn -&gt; url filtering AllowSN</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Tom</P> Fri, 16 Oct 2015 08:47:01 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66699#M39287 reaper 2015-10-16T08:47:01Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66702#M39289 <P>Thanks for answer.</P> <P>&nbsp;</P> <P>But how does it work? If security policy are processed from thr top to bottom then someone who is in the group allow_yt and allow_sn will be access to YT but not to SN.&nbsp;</P> <P>&nbsp;</P> <P>Or am I wrong?</P> Fri, 16 Oct 2015 09:48:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66702#M39289 ITBT 2015-10-16T09:48:39Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66705#M39290 <P>Try chaning the order</P> <P>&nbsp;</P> <P>1. AD group allow_yt &nbsp;-&gt;&nbsp;application YouTube, NO url filtering</P> <P><SPAN style="line-height: 20px;">2. AD group allow_sn -&gt; url filtering AllowSN</SPAN></P> <P>3. <SPAN style="line-height: 20px;">AD group allow_yt -&gt; url filtering AllowYT</SPAN></P> Fri, 16 Oct 2015 10:23:12 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66705#M39290 pankaku 2015-10-16T10:23:12Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66707#M39291 <P>You can start with something like this and then tighten it down (allow only limited applications like youtube, web-browsing, ssl etc from <A href="http://www.youtube.com" target="_blank">www.youtube.com</A> and permit only limited social-networking FQDN's etc).</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/717i5E8D28DE1F987D1B/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="example.png" title="example.png" /></P> <P>&nbsp;</P> <P>And change User-Any to your AD group accordingly.</P> <P>So first 2 rules source user is youtube group and third is social networkng group.</P> Fri, 16 Oct 2015 10:28:40 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66707#M39291 Raido_Rattameister 2015-10-16T10:28:40Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66709#M39292 <P>Thanks for help.</P> <P>&nbsp;</P> <P><SPAN class=""><A id="link_9" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608" target="_self">reaper</A>&nbsp;it doesn't work</SPAN></P> <P><SPAN class=""><A id="link_17" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/20090" target="_self">pakumar</A>&nbsp;<SPAN>it doesn't work</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class=""><A id="link_21" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603" target="_self">Raido</A>&nbsp;but I use this type of configuration. So do you think I shoud change to URL Category?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN class=""><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/718i32A27BBA703CD3C1/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="PAN.PNG" title="PAN.PNG" /></SPAN></P> Fri, 16 Oct 2015 11:37:31 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66709#M39292 ITBT 2015-10-16T11:37:31Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66710#M39293 <P>Security profiles is always my first choice because it keeps security rules cleaner.</P> <P>But with your requirement you should create security profile and AD group for every possible setup.</P> <P>- permit youtube</P> <P>- permit social</P> <P>- permit youtube and social</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Pao (and firewalls in general) evaluate rules from top to bottom.</P> <P>First rule matches source and destination will be taken into account.</P> <P>If in first rule you allow HR department to visit social networking sites with security profile but at the same time block streaming media in the same URL filtering profile then person in HR group can never go to youtube (even if same person is also in streaming media group and you allow streaming media with next rule below).</P> <P>Rules are not mixed together - only one rule will be taken into account.</P> <P>&nbsp;</P> Fri, 16 Oct 2015 11:49:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66710#M39293 Raido_Rattameister 2015-10-16T11:49:46Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66711#M39294 <P>By the way "log at session start" should be used only for troubleshooting purpouses.</P> <P>It generates a lot more log (every application shift) so your log will fill up faster and you can't go back as long as you could with less logging.</P> Fri, 16 Oct 2015 11:53:15 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66711#M39294 Raido_Rattameister 2015-10-16T11:53:15Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66715#M39298 <P>The firewall is a security tool. &nbsp;We should be first asking what's important...What's critical to have. &nbsp;It's annoying that everytime I'm on a TAC call I usually get the "you really shouldn't log on session start" comment.</P> <P>&nbsp;</P> <P>The problem with not logging on session start is you're only notified when the session has ended (obvious.) &nbsp;The problem with saying "only use it for troubleshooting" is how do you troubleshoot something in the past?</P> <P>&nbsp;</P> <P>Say for instance an FTP session, that session could be open for minutes, hours, or even days. &nbsp;You'd never be notified about that traffic until the session was closed.</P> <P>&nbsp;</P> <P>Every one of my rules logs session start. &nbsp;Over 20k user network and we generate about 3 million logs a day. &nbsp;Our Panorama has 2TB of storage and we just shy of 2 months of on box retention.</P> Fri, 16 Oct 2015 12:53:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-6-1-4-policy-and-url-filtering/m-p/66715#M39298 Brandon_Wertz 2015-10-16T12:53:17Z