topic How can I block a URL from the internet? in General Topics

How can I block a URL from the internet?

rpainter — Tue, 31 May 2016 19:41:01 GMT

Here is my dilemma:

I have an appliance that is accessible over the internet. I need the public to be able to access this (it is for web conferencing). The admin portal is also available. I would to block access to the admin portal over the internet, and make it only available from my LAN (via its private IP).

Let's say that the URL is: https://mysite.mycompany.com

The admin site is: https://mysite.mycompany.com/admin

Is there a way to black access to /admin, but still allow traffic to the other site?

Re: How can I block a URL from the internet?

Brandon_Wertz — Tue, 31 May 2016 20:32:58 GMT

Depends on what version of PAN-OS you're on.

From version 6.1.X on, you're good. Follow these guides (Essentially you'll just want to create a custom URL Object and use it in policy based upon how you desire to allow or deny on a case by case basis:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/block-and-allow-lists#14516

"For example: If you want to prevent a user from accessing any website within the domain paloaltonetworks.com, you would also enter *.paloaltonetworks.com, so whatever domain prefix (http://, www, or a sub-domain prefix such as mail.paloaltonetworks.com) is added to the address, the specified action will be taken. The same applies to the sub-domain suffix; if you want to block paloaltonetworks.com/en/US, you would need to add paloaltonetworks.com/*as well."

https://downloads.paloaltonetworks.com/software/PAN-OS-6.1.0-RN.pdf?__gda__=1465314609_557613dbafd2ac5ed438dd389a7f9018

"PAN-DB can now categorize content down to the page level instead of just at the directory level. Because the pages within a domain can belong to multiple categories, this capability provides increased accuracy in filtering content and prevents potential over-blocking of web content. If, for example, you block malware and allow access to business/ news content for users on your network, they can access http://www.acme.com/c/news.html because it is categorized as news/business, but be denied access to http://www.acme.com/c/malware.exe because PAN-DB categorizes the full-path for this web page as malware. "

Re: How can I block a URL from the internet?

pulukas — Sun, 05 Jun 2016 12:03:29 GMT

You should also check with your conferencing software vendor. Many of them anticipate this problem and provide mechanisms to restrict Admin access at the application level on the server. They also might provide options for role separations so that your public facing server does not have these features eabled.