https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254494#M72232 <P>Hello all,</P><P>I've read multiple documents from PA and read some on the forums here, but cannot find anything definitive on this.</P><P>&nbsp;</P><P>What I'm trying to find out is what is the best practice/most effective way to configure a Security Policy for filtering. I understand there are several ways to do this, but I've found that the way I've been doing it doesn't always seem to work the best. Are there any issues with the following config?</P><P>&nbsp;</P><P>Create a Security Policy and set the Action to Allow. Set a URL Filtering Profile. Create a Custom URL Category for Allowed URLs. Create a Custom URL Category for Denied URLs. Apply these Custom URL Categories inside the URL Filtering Profile. Set other categories to Deny within the URL Filtering Profile.</P><P>&nbsp;</P><P>If I were to set the Action for a Security Policy to Deny, does that Deny all traffic that matches?</P><P>&nbsp;</P><P>Any advice will be very helpful. Thanks.</P> Thu, 21 Mar 2019 14:21:32 GMT GCSS-RT 2019-03-21T14:21:32Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254494#M72232 <P>Hello all,</P><P>I've read multiple documents from PA and read some on the forums here, but cannot find anything definitive on this.</P><P>&nbsp;</P><P>What I'm trying to find out is what is the best practice/most effective way to configure a Security Policy for filtering. I understand there are several ways to do this, but I've found that the way I've been doing it doesn't always seem to work the best. Are there any issues with the following config?</P><P>&nbsp;</P><P>Create a Security Policy and set the Action to Allow. Set a URL Filtering Profile. Create a Custom URL Category for Allowed URLs. Create a Custom URL Category for Denied URLs. Apply these Custom URL Categories inside the URL Filtering Profile. Set other categories to Deny within the URL Filtering Profile.</P><P>&nbsp;</P><P>If I were to set the Action for a Security Policy to Deny, does that Deny all traffic that matches?</P><P>&nbsp;</P><P>Any advice will be very helpful. Thanks.</P> Thu, 21 Mar 2019 14:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254494#M72232 GCSS-RT 2019-03-21T14:21:32Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254509#M72235 <P>The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally</P> <P>&nbsp;</P> <P>A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles</P> <P>Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy</P> <P>This works as a sort of ip-lookup and only allow/deny traffic&nbsp; for the "ips" that match the urls in your custom category</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Mar 2019 14:43:56 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254509#M72235 reaper 2019-03-21T14:43:56Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254600#M72254 <P>Thanks for great explanation.</P> Thu, 21 Mar 2019 23:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-best-practice/m-p/254600#M72254 MP18 2019-03-21T23:54:51Z