topic Re: Per-User URL Filtering Process in General Topics

Per-User URL Filtering Process

MarcusReams — Thu, 06 Jul 2017 19:12:07 GMT

Can someone give me a break down of what the process flow is like? For example, Is a lookup done for the user then an IP mapping happens? Are the user-ip mappings being used for the decision in the filtering process?

The reason I ask is that I have users connected via a VPN device the filtering doesn't seem to work.

Re: Per-User URL Filtering Process

BPry — Thu, 06 Jul 2017 19:37:20 GMT

@MarcusReams,

When the user is connected to the VPN do you have an active ip to user mapping? You can verify this within both the data-plane and the management-plane by running the CLI command show user ip-user-mapping all for the dataplane mapping and show user ip-user-mapping-mp all for the management plane. If you have a larger userbase you can specify a user by either the ip address by running show user ip-user-mapping ip 10.191.17.6 for example or by just piping the command a looking for a user in particular.

I would verify that they even have a user mapping; from what you are describing they do not, or the mapping that you have built around is not what the user comes across as when logged into the VPN.

Re: Per-User URL Filtering Process

reaper — Fri, 07 Jul 2017 08:20:08 GMT

each part is separate

user-ip mapping is accomplished either by a user logging onto his domain computer in the office and the login being picked up by an agent/agentless deployment, or a user logging into GlobalProtect VPN (establishing the tunnel)

the mapping is then stored in the cache on the firewall

when the user makes a connection, the security policy is checked to see if the connection will be allowed (at the TCP level).

when the application is identified, the firewall passes the session through the security policy again to find a matching rule for the source user and application to match and if a matching policy is found, the session is again allowed to carry on

if the application is web-browsing and the session is allowed, this will also trigger a url filtering lookup (local cache > cloud lookup) to determine the url category and then apply the URL filtering policy (so the TCP connection could be allowed but the session could get blocked at layer7 by the url filtering profile at which point a block page is presented to the user)

so you'd want to check the user mapping first, see if he's being identified and mapped properly

> show user ip-user-mapping ip <ip/subnet>

next, you'll need to check if the group (assuming you used an LDAP group rather than standalone usernames in your security policy) contains his username on the firewall

> show user group list
> show user group name 'cn=group,cn=users,dc=example,dc=com'

if both match, check if there aren't any security policies preceding your policy that could be blocking your connections/allowing them though

hope this helps

Re: Per-User URL Filtering Process

MarcusReams — Tue, 11 Jul 2017 19:21:10 GMT

Thanks for the feedback.