https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12922#M9468 <HTML><HEAD></HEAD><BODY><P>Follow jdavis advice and create a _new_ URL filter profile. Then use this in a new firewall policy that targets that specific network host.</P><P></P><P>Just make sure that the new policy is above any other policy that allow web browsing.</P><P></P><P>//Marcus</P></BODY></HTML> Thu, 11 Aug 2011 12:46:40 GMT admin3r 2011-08-11T12:46:40Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12917#M9463 <HTML><HEAD></HEAD><BODY><P> Is there a way to restrict internet access to a device so that it can only get out to a particular website?</P></BODY></HTML> Wed, 10 Aug 2011 18:08:03 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12917#M9463 lcepeda 2011-08-10T18:08:03Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12918#M9464 <HTML><HEAD></HEAD><BODY><P>You can setup a URL filterig profile with allowed sites and block the rest.</P><P>Security rule for the source can be setup trust to untrust allow and apply the security profile.</P><P></P><P>The security profile will scan the traffic after it matches the allow/deny condition and will allow only sites allowed. </P></BODY></HTML> Thu, 11 Aug 2011 03:08:33 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12918#M9464 ukhapre 2011-08-11T03:08:33Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12919#M9465 <HTML><HEAD></HEAD><BODY><P>That's just the thing.&nbsp; I don't find the place where I can add URL addresses.&nbsp; Perhaps I'm not in the right place. I'm looking under policies , new, security policy I just want to allow this host to get out to one site on the web.&nbsp; Thanks, Leo</P></BODY></HTML> Thu, 11 Aug 2011 03:37:56 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12919#M9465 lcepeda 2011-08-11T03:37:56Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12920#M9466 <HTML><HEAD></HEAD><BODY><P>You'll find what you're looking for under Objects tab &gt; Security Profiles section &gt; URL Filtering link.&nbsp; Either edit an existing profile or create a new one.&nbsp; You'll find a Block List and an Allow List.&nbsp; You'll need to commit the configuration change for it to take effect.</P><P></P><P>Best Regards,</P><P>Jared </P></BODY></HTML> Thu, 11 Aug 2011 04:29:08 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12920#M9466 jdavis 2011-08-11T04:29:08Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12921#M9467 <HTML><HEAD></HEAD><BODY><P>Hey Jared,</P><P>thanks for pointing me in the right direction but I'm affraid what I do there will affect everyone.&nbsp; I just need to restrict a single host on the network to be able to get out only to one site.&nbsp; I dont want to enforce that on everyone.&nbsp; I dont see a way to target that list from anywhere else.</P><P>any thoughts?</P><P></P><P>thanks,</P><P>Leo </P></BODY></HTML> Thu, 11 Aug 2011 12:37:02 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12921#M9467 lcepeda 2011-08-11T12:37:02Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12922#M9468 <HTML><HEAD></HEAD><BODY><P>Follow jdavis advice and create a _new_ URL filter profile. Then use this in a new firewall policy that targets that specific network host.</P><P></P><P>Just make sure that the new policy is above any other policy that allow web browsing.</P><P></P><P>//Marcus</P></BODY></HTML> Thu, 11 Aug 2011 12:46:40 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12922#M9468 admin3r 2011-08-11T12:46:40Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12923#M9469 <HTML><HEAD></HEAD><BODY><P>Hi Leo,</P><P></P><P>Try creating a new URL filtering profile that will only be used to control traffic from your single host.</P><P></P><P>Any changes made in this new profile will not affect users of other profiles. </P><P></P><P>Enter the URL you want to allow in the allow list and block the rest.&nbsp; Then in your security policy, add a rule to apply your new URL filtering profile to just traffic originating from your single host.</P><P></P><P>Regards,</P><P>Dave</P></BODY></HTML> Thu, 11 Aug 2011 12:52:21 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12923#M9469 DavePalo 2011-08-11T12:52:21Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12924#M9470 <HTML><HEAD></HEAD><BODY><P>Thanks guys, I had neglected to select "profiles" from within the actions tab.&nbsp; That's why I didn't see the url filter I created.</P><P></P><P>I will now commit this policy and cross my fingers that it works.</P><P></P><P>I'm now wondering if I need to create another filter that blocks everything and they apply both to the host so that only the site I specified in allow will work.&nbsp; We'll see.</P><P></P><P>Thanks again for your help!</P><P></P><P>Leo</P></BODY></HTML> Thu, 11 Aug 2011 12:54:56 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12924#M9470 lcepeda 2011-08-11T12:54:56Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12925#M9471 <HTML><HEAD></HEAD><BODY><P> Hi Leo,</P><P></P><P>Just to provide you mode details:</P><P></P><P>1. Allow list: you allow any URLs on the list without logging</P><P>2. Block List: by default you are blocking URLs on the list with logging</P><P>3. Category: you can choose to alert/block/allow/continue/overide any URL access</P><P></P><P>As you can see category gives you more option on details. It maybe better for you to:</P><P></P><P>1. go to object-&gt;custom URL category</P><P>2. manual input the list of URL you want to allow</P><P>3. go back to the policy to create a URL profile</P><P>4. keep the whitelist and blocklist blank</P><P>5. on the right hand side set all the action to be block</P><P>6. on the right hand side find out the custom category you have just created (there will be * at the end of the category name to indicate that is a custom category)</P><P>7. change the action for this specific the custom category. E.g if you just want to allow them without logging choose allow; if you want to allow them with logging choose alert; if you want to provide a warning page before you allow them choose continue.</P><P>8. commit</P><P></P><P>Now you are using category to control the access, and what you need to do is to update the custom category from object page time to time.</P></BODY></HTML> Thu, 11 Aug 2011 15:14:52 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12925#M9471 jleung 2011-08-11T15:14:52Z https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12926#M9472 <HTML><HEAD></HEAD><BODY><P>Thanks for the feedback.&nbsp; I actually tried using the category list and blocked all of them.</P><P>All I want is access to one site.&nbsp; Unfortunately by doing it this way sub-pages within the allowed website fail to load properly.&nbsp; For example I tested with allowing *.cnn.com/* but the only page that opens is the home page.&nbsp; All other subpages within the cnn.com website appear as broken links.</P><P>And yes all other sites are blocked and it is displayed in the host browser.&nbsp; So that's pretty cool.&nbsp; I'll keep messing with it.</P><P></P><P>Thanks,</P><P>Leo</P></BODY></HTML> Thu, 11 Aug 2011 15:27:49 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-internet-access/m-p/12926#M9472 lcepeda 2011-08-11T15:27:49Z