https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8948#M6541 <HTML><HEAD></HEAD><BODY><P>Filtering on dstip just wont work because Google uses shitloads of ip addresses.</P><P></P><P>Setup a custom url category which contains (for example) www.google.com (you might need to add a few other domains/subdomains/urls aswell) and enable ssl termination (so you can inspect encrypted https flows).</P><P></P><P>1) Then as first rule you deny stuff from Google which you dont wish to allow, such as Google Translate etc which can be used as proxy.</P><P></P><P>2) Then as second rule you allow by use the above custom url category along with appid for google search (if such exists).</P><P></P><P>You could also create a custom appid for this. Dont forget to set service to application-default (or manually to TCP80, TCP443).</P></BODY></HTML> Mon, 20 Aug 2012 23:38:35 GMT mikand 2012-08-20T23:38:35Z https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8947#M6540 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Have a "interesting" problem. </P><P></P><P>Scope</P><P>* Clients are not to be allowed access to the internet. Restrict and control with firewall.</P><P></P><P>Scope creep</P><P>*Clients need access to Google to do a search, click on any links in that search. They will search for people/location</P><P></P><P>How can I best isolate and protect these clients web access? I've been trying to figure out what would be the best possible way to allow them a Google search access and 'click' access to the search that comes up.</P><P></P><P>Any input would be greatly appreciated and anything goes to try and mitigate the scope creep to try and be somewhat 'in line' with scope!</P><P></P><P><BR />Cheers</P><P>A.</P></BODY></HTML> Mon, 20 Aug 2012 15:01:08 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8947#M6540 Ante 2012-08-20T15:01:08Z https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8948#M6541 <HTML><HEAD></HEAD><BODY><P>Filtering on dstip just wont work because Google uses shitloads of ip addresses.</P><P></P><P>Setup a custom url category which contains (for example) www.google.com (you might need to add a few other domains/subdomains/urls aswell) and enable ssl termination (so you can inspect encrypted https flows).</P><P></P><P>1) Then as first rule you deny stuff from Google which you dont wish to allow, such as Google Translate etc which can be used as proxy.</P><P></P><P>2) Then as second rule you allow by use the above custom url category along with appid for google search (if such exists).</P><P></P><P>You could also create a custom appid for this. Dont forget to set service to application-default (or manually to TCP80, TCP443).</P></BODY></HTML> Mon, 20 Aug 2012 23:38:35 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8948#M6541 mikand 2012-08-20T23:38:35Z https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8949#M6542 <HTML><HEAD></HEAD><BODY><P><BR />Mmm how do I deal with that the user has to click on the actual search links that comes up? That means internet, I'm wondering if I could allow the actual search itself and then allow the "click" to any of the links, they'll have some 'google' link in them when clicked at first. (creating a new APP ID) then have an ultra restricitive web-browsing and not allow any files up or down. Has anyone tried to design something like this in the past?</P></BODY></HTML> Tue, 21 Aug 2012 07:26:43 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8949#M6542 Ante 2012-08-21T07:26:43Z https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8950#M6543 <HTML><HEAD></HEAD><BODY><P>Could using google webcache be sufficient for the users?</P><P></P><P>Because if you want them to be able to traverse to the searchresult then you must enable surfing.</P><P></P><P><SPAN>You could perhaps setup a custom appid that will trigger on http-method: GET, HEAD, POST along with http-referer: ^</SPAN><A class="jive-link-external-small" href="http://www.google.com/">http://www.google.com/</A><SPAN> (or whatever domain google uses in your case). This appid could of course be easily bypassed by the client by sending a custom referer to fool the filter but still...</SPAN></P></BODY></HTML> Tue, 21 Aug 2012 07:45:39 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8950#M6543 mikand 2012-08-21T07:45:39Z https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8951#M6544 <HTML><HEAD></HEAD><BODY><P>Will look into how to best use the appid, they'll click pre defined links so could use some filtering on that, they're happy to use cached web after their google search which means they can still 'surf' the internet but it'll be pretty cumbersome to do for them and it'll more then likely result in them not doing it on these machines. I'll update this thread with the final result.</P><P></P><P>Cheers and thanks</P><P>A</P></BODY></HTML> Fri, 31 Aug 2012 07:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-of-restricting-web-access/m-p/8951#M6544 Ante 2012-08-31T07:25:56Z