topic Re: Security Policy Action Options other than Allow/Deny in General Topics

Security Policy Action Options other than Allow/Deny

linuss — Thu, 16 Feb 2012 09:17:25 GMT

We have a security rule:

Src Zone: Internal

Src User: Any

Dest Zone: Any

Dest Add: Any

Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)

Action: Deny

It works as expected, however some users need to view some business video now. Is there any option to configure 'override' as action in security?

I found 'override' action can be selected in URL Filtering profile, here is part of admin guide:

Override - Allow the user to access the blocked page after entering a password. The password and other override settings are specified in the URL Admin Override area of the Settings page.

If override is not available, any option to allow users to watch video based on Frequency? Let say 3 hours per day?

Re: Security Policy Action Options other than Allow/Deny

rmonvon — Thu, 16 Feb 2012 14:31:15 GMT

Hi...Override & Continue actions are URL filtering actions as you have found and they are not available under the security rule's action. We do not classify recreational vs.business video apps, but web sites are classified by URL filtering categories. Hence, we can choose URL categories to override/continue.

A suggestion is to control which URL categories users/groups are allowed/denied. If they are given access to business web sites, they can access business videos from those sites. Then apply override/continue actions to streaming-media category and apply a QoS policy to control the bandwidth for streaming media.

Also, there is the option to specify time-of-day where the policy is enforced under security rule. You can block youtube, netflix from 8am-5pm while allowing them after hours.

Thanks.

Re: Security Policy Action Options other than Allow/Deny

linuss — Thu, 16 Feb 2012 17:18:49 GMT

rmonvon, thank you for your advice.

URL filtering is not a perfect solution for our case. Because the "business" videos are uploaded to youtube by vendors, e.g. http://www.youtube.com/watch?v=TTTbzbiBFfM&list=PL77D49394B6A8FD31&feature=plcp&context=C38c0451FDOEgsToPDskKoh7mooOkmGNbGHjL4-Ecx

Re: Security Policy Action Options other than Allow/Deny

rmonvon — Thu, 16 Feb 2012 17:37:18 GMT

As far as I know, youtube only classifies materials that are inappropriate for childrens. It does not classify contents as business, health-medicine, etc to filter on.

Re: Security Policy Action Options other than Allow/Deny

mikand — Thu, 16 Feb 2012 21:07:09 GMT

Can you specify somehow who these users are?

Like by srcip or by srcuser (AD integration)?

Since PAN is top-down first-match you could add a rule similar to following just before your current rule to take care of the users who should be able to view online videos:

Src Zone: Internal

Src User: USER_Video_Allowed

Dest Zone: Any

Dest Add: Any

Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)

Action: Allow

Re: Security Policy Action Options other than Allow/Deny

linuss — Fri, 17 Feb 2012 02:06:32 GMT

Yes, we can configure the rule by user or group, however it may not be a good idea to allow some users to override our company policy. We want the users can override some blocked applications when needed but at the same time system can log this action or admin can be alerted. I think it is more flexible.

I know many other brands FW with application control on the market can configure security rule as 'override' or 'alert'. If at the moment this option is not available on PAN device, I suggest adding this feature in the future release.

Re: Security Policy Action Options other than Allow/Deny

mikand — Fri, 17 Feb 2012 03:37:47 GMT

Both continue and block is available in PAN since years.

Just add the custom rule as I described but use a custom security profile where you define that the url category (or all categories for that matter) will result in a continue. This way you will decide through appid which apps should get the continuepage.

You can also select a url profile straigth away from the security rule view but I prefer to bundle stuff into security profiles but thats just a matter of taste.