https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214907#M62412 <OL><LI>Configure and enable TLS decryption*:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl-forward-proxy" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl-forward-proxy</A></LI><LI>Create a custom URL category with your entries</LI><LI>Create a security policy where you add your custom URL category directly into your rule (in the service tab)</LI><LI>Do not create any other rule except a deny-all rule for that zone</LI></OL><P>*without TLS decryption you'll be only able to filter for the domainname but not&nbsp;<SPAN>edition.cnn.com<STRONG>/health</STRONG></SPAN></P> Mon, 21 May 2018 20:04:56 GMT Remo 2018-05-21T20:04:56Z https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214897#M62411 <P>Hi,</P><P>&nbsp;</P><P>On a certain Zone I need to <STRONG>block access to anything else but these URLs</STRONG> on a whitelist like this:</P><P>&nbsp;</P><P>edition.cnn.com/health<BR />edition.cnn.com/travel<BR />money.cnn.com/technology/</P><P>&nbsp;</P><P>How can I do that most elegantly (I have a VM-100 with latest PanOS)</P><P>&nbsp;</P><P>Thanks a lot for a quick reply on this, I have tried with URL filtering but to no avail...</P><P>&nbsp;</P><P>Tor</P> Mon, 21 May 2018 19:43:22 GMT https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214897#M62411 LCMember4427 2018-05-21T19:43:22Z https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214907#M62412 <OL><LI>Configure and enable TLS decryption*:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl-forward-proxy" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl-forward-proxy</A></LI><LI>Create a custom URL category with your entries</LI><LI>Create a security policy where you add your custom URL category directly into your rule (in the service tab)</LI><LI>Do not create any other rule except a deny-all rule for that zone</LI></OL><P>*without TLS decryption you'll be only able to filter for the domainname but not&nbsp;<SPAN>edition.cnn.com<STRONG>/health</STRONG></SPAN></P> Mon, 21 May 2018 20:04:56 GMT https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214907#M62412 Remo 2018-05-21T20:04:56Z https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214910#M62413 <P>Hi,</P><P>&nbsp;</P><P>Thanks for the quick reply.&nbsp;</P><P>&nbsp;</P><P>I have actually tried to create a custom URL category as you suggest using create URL Filtering Profile / Override tab and entered the list of 'white' URL's in the left (Allow List) listbox.&nbsp;</P><P>&nbsp;</P><P>Secondly I added this profile to the Security policy for the Zone in question.&nbsp; However, despite this, it unfortunately still allows traffic from any URL.</P><P>&nbsp;</P><P>What am I missing..?</P> Mon, 21 May 2018 20:19:35 GMT https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214910#M62413 LCMember4427 2018-05-21T20:19:35Z https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214911#M62414 <P>If you use your method: have you set every URL category to block?</P> Mon, 21 May 2018 20:21:04 GMT https://live.paloaltonetworks.com/t5/general-topics/help-how-to-block-access-to-any-site-except-those-on-a-whitelist/m-p/214911#M62414 Remo 2018-05-21T20:21:04Z