i have another problem with policies...
I used AD to filter people which can access the appropriate site.
And I have rule in order:
1. Allow facebook (when I give access to whole facebook application)
2. Allow Youtube (when I use url filtering)
In my opinion when user who is in group allow_facebook and allow_youtube and want to open the facebook site are using first rule and can open the site?
But in my network this user use second rule and he has information about blocked site....
I don't know what I do wrong..
Is the rule/application it specifically for Facebook-BASE
Does that first rule allow the traffic for another user?
in otherwords can another user from the approved 'AD OU' group get to the site
you want to determine is it a user issue or a security policy issue
When you look in the logs afterward - filter by user name and see which policy that traffic is hitting
could you verify this counter
show counter global filter | match url_request_pkt_drop
you obtain something like this
url_request_pkt_drop 334056 10 drop url pktproc
if you have some drop packet it's du to the waiting time for url categorisation request
to resolve this
modify this parameter
set deviceconfig setting ctd url-wait-timeout
and define a value greater than 5 and less than 60
by default panos use a value of 5 s and the PA-500 is to light to process the categorisation and takeover the limit of 5s
you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query
you can find more info
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!