10-16-2012 10:19 AM
I just upgraded from 4.0.7 to 4.1.6. Since this upgrade our monitoring server in the LAN 10.x.x.x/24 can not browse to our web servers in the DMZ 192.168.X.X/24. It shows up as, action blocked-url, with Category of private-ip-addresses. I have private-ip-addresses blocked in the URL filtering but I have a custom URL category defined that allows access to 192.168.x.x/24. This worked before the upgrade. I can put the url in the allowed list and it works but I would like to find a way to allow access to the entire 192.168.x.x/24 network.
Any suggestions on the best way to do this?
Thanks,
Michael
10-16-2012 12:39 PM
Since PA uses (the common) top-down first-match you could set it up like:
1)
srcip: 10.x.x.x/24
dstip: 192.168.X.X/24
appid: web-browsing (or whatever is being used)
action allow
2)
srcip: 10.x.x.x/24
dstip: any
appid: web-browsing, ssl (and so on)
url-category: blocked_categories + manual blacklist
action deny
3)
srcip: 10.x.x.x/24
dstip: any
appid: web-browsing, ssl (and so on)
url-category: allowed_categories
action allow
10-16-2012 12:58 PM
mikand,
Thanks. That looks good. I have a couple questions?
Wouldn't I want to make the dstip: in #2) 192.168.0.0/16 so it would only block private ips? Or am I reading this wrong?
Also, I mostly use the GUI for configuration. Where would I put this in?
Michael
10-16-2012 05:47 PM
Michael, you are correct. You will want to specify 192.168.0.0/16 per RFC 1918 spec.
The above configuration examples should be configured in your security policy rules under Policies > Security.
10-17-2012 02:18 AM
1) We allow the traffic from client network to this DMZ no matter what the category is (you could of course put a limit on which categories should be allowed if you wish).
2) We deny globally client network from reaching banned categories (or for that matter a manual blacklist).
3) We allow globally client network to reach allowed categories.
4) Default deny + log (I didnt write this since it should be in all firewalls already 
)
The point here is that because PA is top-down first-match http/https-traffic client -> DMZ will hit first rule and since that action is allow the traffic will be allowed through.
Rule 2 above is like the "default" for the client network, we dont want them to visit for example malware sites or ad-sites.
The third rule is more of a safety guard. The allowed categories should be the reverse of the banned categories. However you can face situations (specially if you have more than these 3 rules) that a later rule would "override" what you thought you did earlier on in the rule chain.
The banned categories (rule2) could also be just a manual blacklist while rule3 will be "default" regarding which categories are allowed to visit (so if the client tries to reach an uncategorized site it will be blocked if its not in the url-db or if you enable dynamic urls not available in the "cloud" regarding which category the url belongs to).
10-17-2012 12:10 PM
Thanks both of you for the information and ideas. I'm going to put this in tonight.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
