PA-500 Url Filtering

Reply
L1 Bithead

PA-500 Url Filtering

Hello,

i have another problem with policies...

 

I used AD to filter people which can access the appropriate site. 

 

And I have rule in order:

1. Allow facebook (when I give access to whole facebook application)

2. Allow Youtube (when I use url filtering)

 

In my opinion when user who is in group allow_facebook and allow_youtube and want to open the facebook site are using first rule and can open the site?

 

But in my network this user use second rule and he has information about blocked site....

 

I don't know what I do wrong..

L4 Transporter

Re: PA-500 Url Filtering

check from CLI that said user is really in allow_facebook group if the rule is not applying to him.

L3 Networker

Re: PA-500 Url Filtering

Is the rule/application it specifically for Facebook-BASE

Does that first rule allow the traffic for another user?

in otherwords can another user from the approved 'AD OU' group get to the site

 

you want to determine is it a user issue or a security policy issue

 

When you look in the logs afterward - filter by user name and see which policy that traffic is hitting

 

Highlighted
L4 Transporter

Re: PA-500 Url Filtering

Hello 

 

could you verify this counter

show counter global filter | match url_request_pkt_drop

 

you obtain something like this

url_request_pkt_drop    334056   10 drop   url   pktproc  

and 

if you have some drop packet it's du to the  waiting time for url categorisation  request

 

to resolve this

modify this parameter

set deviceconfig setting ctd url-wait-timeout 

and define a value greater than 5 and less than 60

 

by default panos use a value of 5 s and  the PA-500 is to light to process the categorisation and takeover the limit of 5s

you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query

 

regard's

 

you can find more info 

https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to...

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!