Allowing a subnet complete internet access but logging their traffic

Reply
Not applicable

Allowing a subnet complete internet access but logging their traffic

Hi ya'll,

Background:  We have a seperate Vlan that we call "Raw Internet" with no filtering.  This is used by our helpdesk staff.  Which means they have open access to Internet and nothing is being blocked.

Currently we purchased Palo Alto and I was wondering what would be the best way to do this.  Meaning, giving them full access to internet yet log their traffic on Palo Alto.

Furthermore, any configuration examples would be helpful :smileyhappy:

Thank you.

L4 Transporter

This can easily be done be doing one or both of the following:

1. create a policy that allows all applications and services specifically for those users (make sure and I identify either their names if you are using user identification or list their ips)

...you want to do this so that this allow all rule that you create does not apply to all of the other users..

On this allow all rule, make sure that you select log at session end or both log at session end and session start under the "options" section of the policy.

2. Create a url filtering profile (I suggest this because I assume you want to track/log the categorgization of the sites that they are browsing to). In that url filtering profile select ALL category actions as "alert". When you do this you are telling the paloalto device to log all of the user browsing and the site categorizations and allow them..........If you select "allow" you will only allow the sessions and not log them.

thank you,

Stephen

Not applicable

Thank you so much. i kinda had the same idea but was'nt sure.  I will get to test this config tomorrow so hopefully it goes well.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!