This question has been asked in a couple of different ways without a definitive answer that I can find.
My challenge is that we have an external engagement space where designers (internal and external) collaborate on projects. Users thin client into the environment and do their work with data and information going into the secure environment where it stays until project completion.
Originally management stated that there would be no need for internet browser access and all agreed that from a security perspective that was a good thing. Well now there is a need for a handful of links to a few sites to pull data in for the design process.
We're running 4.x OS without URL filtering license which I don't think we'd need for this, although I've tried it on another box that had it. I've tried a number of configurations based in large part to earlier questions / posts to no avail.
So has anyone done this ... block all but a few select URLs or sites?
Solved! Go to Solution.
It should work if you setup your security rules something like this:
From zone: Clients
From address: <client>/<range>
From user: AD/Specific group
To zone: Internet
To address: <webserver>/<range>
Url: www.example.com / example.com (this column is usually hidden - either you set this directly on the security rule or you go through the options->url and manually type in the allowed urls).
Appid: web-browsing (or whatever its being identified as).
Options: Log on session end
From zone: Any
From address: Any
From user: Any
To zone: Any
To address: Any
Options: Log on session end
Url-db licens is not needed if you manually setup your urls as described above.
However in your situation I would investigate if its possible to use curl on a dedicated server which would act like a webcache and then only allow this server (along with the above url filter etc) to access the internet.
This way perhaps only the files needed will be pulled from the internet and made available for the clients without the clients having to browse on their own (this way you lower the possiblity of driveby junk which the sites could suffer from - even if the PA hopefully would catch such things there is still a few percents of threats that the PA (or competitors) wont detect).
I believe what you are looking to do is explained in this document:
Basically you just need to create custom URL categories for what you want to allow, include these in a profile applied to a security policy, and it should block everything else. I would have thought you could have also used the Block/Allow list in the URL profiles, although I haven't tried this and the admin guide and other documents makes it seem like you can't.
I'll try the zones approach ...
Regarding the document: Can URL Profiles be used if there is No URL Filtering License? ..... I've tried this with numerous tweaks but no luck.
I would try turning on the URL Category column under the security policies and then for the sites that you wish to access create a custom URL category with those sites listed and then create a URL filtering profile and set the action for the custom URL category to allow or alert. Then create an allow security policy with the URL category of your custom category then apply the URL filtering profile to the policy. This policy will only be hit when someone tries to access the sites listed in the URL category and allow the traffic. The rest of the traffic will be blocked as normal.
To those who've pitched in on this I say thanks ... we now have a working solution although there was no single response that had a definitive answer due to a few caveats as I'll detail below.
A couple of observations about this topic.
What we did....
There are 4 basic steps:
What goofed us up in this was a combination of: not being sure the URL license was or was not needed; the fact that the URL we were working with did not use native ports; confusion over the 'service' function in the Security Policy Rule; syntax errors; uncertainty over how long a URL filter could be.
I hope this helps .. bottom line is we needed more clues to make it work and the time to experiment ... like most things, it was simple once we got past a few hurdles.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!