topic Re: Help with "Deny All, with whitelist of domains" in General Topics

Help with "Deny All, with whitelist of domains"

kaboom — Wed, 30 Mar 2016 17:51:05 GMT

I have been trying to test out a new policy that will need to be implemented by our security team. This involves a Deny All rule, with a rule right above it that allows a list of domains. These domains include SaaS services, Cloud, and other domains that users must access to achieve daily production.

I have tried to make the whitelist based on FQDNs, but I am running into a problem when we have CDNs that are embedded in the destined location. I was able to monitor the 3rd party content and whitelist those URLs as well, but we are still having and issue when some of the domains might have some type of GLB on their end. The PAN does cache 10 IP addresses per FQDN at a time, but I'm afraid that it might not be enough.

We have discussed the options of a web proxy, but I am just curious if anybody has any better ideas on achieving this end goal, specifically with the PAN.

Re: Help with "Deny All, with whitelist of domains"

Anon1 — Wed, 30 Mar 2016 18:50:40 GMT

For DNS domain based rules, you better use the URL filtering functionality. You could create a custom URL category and add all necessary domains to it. Then only allow this custom URL category. This also works without URL filtering license.

Re: Help with "Deny All, with whitelist of domains"

kaboom — Wed, 30 Mar 2016 19:26:09 GMT

When I spoke to PAN, URL Filtering only applies to HTTP and HTTPS traffic. Therefore, I don't think that it would work for applications.

Re: Help with "Deny All, with whitelist of domains"

Anon1 — Wed, 30 Mar 2016 19:33:57 GMT

That´s right, I assumed it were web based applications which are accessed via HTTP/HTTPS. Maybe there is an AppID signature for your particular applications? Do you have examples?