https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175448#M54976 <P>I would start here:</P><P>&nbsp;- <A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222</A></P><P>&nbsp;</P><P>You don't need to do LDAP authentication based on your original question. &nbsp;Your main goal is to get the firewall to download a list of LDAP groups and the names of the users in each of the groups. &nbsp;</P><P>&nbsp;</P><P>With this in place, you can create security policy based on username and/or LDAP group. &nbsp;</P> Thu, 07 Sep 2017 15:01:58 GMT jvalentine 2017-09-07T15:01:58Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175283#M54948 <P>Hey guys!</P><P>&nbsp;</P><P>We got a couple of 7050s in our Data Center with URL Filtering license, and we are planning to implement the URL Filtering feature.&nbsp;</P><P>&nbsp;</P><P>I understand first thing is to&nbsp;create the URL profile with the allowed / denied categories and attach it to the Security Policies that allow outbound Internet access.</P><P>&nbsp;</P><P>But my concern is how to enable the use of specific users or groups to those security policies?&nbsp;</P><P>&nbsp;</P><P>I have enabled User-ID agent in my environment, the User-ID agent is retrieving the user to IP address mappings from the Domain Controllers, and my Firewall is already talking to the User-ID agent!</P><P>&nbsp;</P><P>However, could anyone let me know if I still need to add some LDAP configuration to my Firewall? Or if I'm ready to implement Web Filtering to specific users.</P><P>&nbsp;</P><P>Kind Regards!</P> Wed, 06 Sep 2017 22:25:19 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175283#M54948 alexdelangel 2017-09-06T22:25:19Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175292#M54951 <P>I would configure LDAP so that the firewall can pull in groups of users. &nbsp;</P><P>&nbsp;</P><P>At the top of your security policy, create a couple of group-based overrides. &nbsp;Assuming you generally block adult + gambling sites, create two groups in your LDAP server, "URL-adult" and "URL-gambling". &nbsp;</P><P>&nbsp;</P><P>Next, create a single URL filtering profile called "override alert URL", with action=alert for all categories. &nbsp;Attach that profile to these override rules. &nbsp;</P><P>&nbsp;</P><P>Then you can create security policies that look like this:</P><P>&nbsp;</P><P>from trust to untrust, user=URL-adult, application=web-browsing+SSL, URL category=adult, action=allow</P><P>from trust to untrust, user=URL-gambling, application=web-browsing+SSL, URL category=gambling, action=allow</P><P>&nbsp;</P><P>&nbsp;</P><P>lather, rinse, repeat for the URL categories where you need to provide an override and commit your changes. &nbsp;</P><P>&nbsp;</P><P>The nice thing about this is that you only need to add a user to the LDAP group in order to permit them access to an overridden category. &nbsp;(The firewall refreshes LDAP groups every 60 minutes, so you may need to wait that long for it to work - or perform a manual refresh via the CLI).</P><P>&nbsp;</P><P>If you want to warn your user that they're visiting a normally-blocked website because they have override privileges, modify your URL filtering profile from "override alert all URL" with action=alert, and change all of the actions=continue. &nbsp;This way, if someone is visiting an overriden webpage, they're shown the block/continue page with a customizable warning and must click "continue" in order to visit the overriden webpage. &nbsp;</P> Wed, 06 Sep 2017 22:52:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175292#M54951 jvalentine 2017-09-06T22:52:47Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175300#M54953 <P>Hi Valentine,</P><P>&nbsp;</P><P>Thank you so much for your answer, that's exactly what I need. I need my firewall to be able to pull in groups of users.</P><P>&nbsp;</P><P>I was with the idea that user-ID agent would give me the capability to define groups of users to my Security Policies, but I see that additionally I need to configure LDAP.</P><P>&nbsp;</P><P>I found the below documentation, could you let me know if that should be enough?</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-ldap-authentication" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-ldap-authentication</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you!</P> Thu, 07 Sep 2017 01:46:40 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175300#M54953 alexdelangel 2017-09-07T01:46:40Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175448#M54976 <P>I would start here:</P><P>&nbsp;- <A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222</A></P><P>&nbsp;</P><P>You don't need to do LDAP authentication based on your original question. &nbsp;Your main goal is to get the firewall to download a list of LDAP groups and the names of the users in each of the groups. &nbsp;</P><P>&nbsp;</P><P>With this in place, you can create security policy based on username and/or LDAP group. &nbsp;</P> Thu, 07 Sep 2017 15:01:58 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175448#M54976 jvalentine 2017-09-07T15:01:58Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175465#M54978 <P>Those 7000 series firewalls can handle up to 10,000 LDAP groups so you should be good to go!</P> Thu, 07 Sep 2017 15:58:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175465#M54978 Wald 2017-09-07T15:58:25Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175470#M54982 <P>Hey Valentine!</P><P>&nbsp;</P><P>Thank you so much for the provided assistance, and documentation. I confirm now I'm able to&nbsp;create Security Policies based on username, and LDAP groups.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Kind Regards!</P> Thu, 07 Sep 2017 17:23:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175470#M54982 alexdelangel 2017-09-07T17:23:37Z https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175560#M55002 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/21849">@Wald</a> wrote:<BR /><P>Those 7000 series firewalls can handle up to 10,000 LDAP groups so you should be good to go!</P><HR /></BLOCKQUOTE><P>Is it correct if we assume the maximum number of groups we can add per virtual system (Group Include List and Custom Group tab combind) will still be 640 groups?</P> Fri, 08 Sep 2017 04:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-specify-specific-users-groups-in-url-filtering-policies/m-p/175560#M55002 Mass 2017-09-08T04:48:50Z