02-03-2022 07:13 AM - edited 02-03-2022 07:15 AM
I'm trying to wrap my head around internet filtering. Currently we use a Cisco Ironport WSA that uses WCCP between it and Cisco ASA5525X firewalls. We ran the expedition project on the ASAs and have the config imported to Palo PA-3220s. Since the Palo doesn't do WCCP, we will get rid of the Cisco Ironport WSA virtual machine that has policies and rules for web filtering.
We have multiple IPs and ISP's, so right now we do have Global protect setup and our routing is configured so GP and Cisco Anyconnect VPN's can all coexist and access our core network... but when we go live and eventually pull the plug on the Cisco ASA's and reconfigure our cores default gateway to the Palos, we have to figure out how to get web filtering working.
We have 3 basic requirements and I'll lay them out from most restrictive to least restrictive.
RestricedInternet - This only allows the bare-bones essentials. Almost everything is blocked except Health and Wellness, Financial Services, government, reference and research, news, training and tools, and it turns out for Azure authentication and Adobe Acrobat license check, we also needed to allow low-risk and computer and internet info.
Standard-Internet-NoSocial - This is pretty much the open internet WITHOUT Social Media.
Open-Internet - This is like the policy above but it allows social media. This would be applied to departments like Marketing, Executives, Supervisors.
In ALL cases - all the bad stuff is set to block (malware, c2c, abortion, drugs,m adult, alcohol, copywriter infringement, etc...)
So I have these configured in Objects > Security Profiles > URL Filtering.
Then in Policies > Security we can trigger on the user's active directory group and apply it... however in a security policy rule there's the Service/URL Category tab and on the right side you can add all the denied categories and then in the Actions tab, configure the action to Deny. What's the difference between doing this or setting the appropriate URL Filtering policy under the Profile settings in the actions tab?
Is there also a way to match multiple security rules for Internet filtering? Perhaps I want to allow Adobe Creative Cloud, MS-Update and Store, Office-365, etc. All have their own line item in security policies, however, whichever one is on top it seems the test user I have in restricted internet "hits on"... so I had to put their Restricted Internet ABOVE the allows for Office 365, Adobe CC, etc... but then it's like it hits on that restrictive policy and does not care to move down to the next line and evaluate that hey.... they are allowed to use O365 resources or Adobe CC.
I appreciate the help!
02-03-2022 02:40 PM
The way I have done it is by Active Directory group mappings. This way all you have to do is drop a user into the proper group and they should hit the appropriate URL filter policy.
So basically you would have 3 different objects and assign those objects to a custom policy used for outbound traffic.
I use Exchange logs for the user-id mapping since Outlook is open on everyones machine:
Hope this helps.
02-04-2022 02:43 PM
Not sure what I'm doing wrong here. I'm trying to order the policies so they hit. Everyone is a domain user but I'd think if your in the information technology or ig-socialnetworing AD groups you'd hit on policy 15, which is tied to a URL filtering policy that has all the good internet, including social media - minus bad stuff.
Then if your a lower tier employee and in AD group ig-restricted internet, I'd think you would hit on policy 16 here which is tied to a URL policy that blocks almost everything, except a few things needed for Adobe Acrobat and Office/Azure SAML (computers and info, low risk) and a few things we think is ok like news, financial, health and wellness.
Last is domain users. This should be a safety net. Everyone is a domain user. If you didn't already hit on 15 or 16, you should hit on this policy right? This gives all the good internet except for social media. No timewasting twitter and facebook for these people.
However, I'm testing with a user that is in restricted-intenret group and he can still get to shopping and auctions - all stuff denied in policy 16 above... but facebook and twitter are blocked. He's falling under policy 17 which is true, he is a domain user, except he's also in ig-restrictedintenret. Shouldn't he have hit on that policy and have been blocked from those sites there?
Thanks for your assistance!
02-04-2022 02:59 PM
Those policies look correct. Are the users getting mapped to IP address? Also are the groups in the PAN lists to be looked up?
02-04-2022 06:01 PM
Yes user-id is working and in traffic logs show the test users name, but it’s hitting on policy 17.
The AD group ig-restrictedinternet is in the available drop down when building the policy, so I would think it’s sync’d from AD, but I’ll double check that on Monday.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!