Custom URL category issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom URL category issue

L3 Networker

I have read through a number of URL category issues, but I just cannot find something like this and I am baffled so far. I have two users, inside and outside, that access a certain internal webserver. What I am trying to do is the following.

outside:

allow: a.b.com/sites/outside and a.b.com/sites/common

block: a.b.com (the rest of the site)

inside:

allow: a.b.com (the rest of the site), including a.b.com/sites/inside and a.b.com/sites/common (I know they are part of the shorter domain entry)

block: a.b.com/sites/outside

 

Every time I add the root of the site to the custom categories it messes everything else up that is in place and outside is blocked to everything and inside is allowed access to a.b.com/sites/outside. It is like adding in the root overrides everything and the more detailed entries are ignored.

 

Where I am right now: I am blocking all other categories as they are not necessary as this is pointing to an inside server. I have four custom categories that I am trying in various combinations to resolve this.

 

cat-outside (a.b.com/sites/outside)

cat-inside (a.b.com/sites/inside)

cat-common (a.b.com/sites/common)

cat-site (a.b.com)

 

When I delete cat-site, I am getting a good block and allow for the extended URI entries and both users can also access the root, a.b.com/. When I add in a block for outside for the cat-site, outside loses access to common and outside. It appears that cat-site is overriding the other custom categories. Same experience for inside, I add cat-site allow, and it now has access to outside.

 

Is there anyway to prioritize the category with more descriptive entries over the more generic? 

 


Bruce.

Learn at least one new thing every day.
3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

I know this is probably not what you want to hear, but URL filtering inbound is not a great solution. Any chance they can VPN in? Also verify that the different categories are not in the same Policy and the policies are configured correctly.

Good luck. 

Cyber Elite
Cyber Elite

@BruceBennett,

Seconding @OtakarKlier, but I'll also offer the option of creating a custom threat signature that you could use and apply to each subset. I'm actually not a fan of using the firewall for stuff like this. A load balancer like NGINX can do stuff like this easily and would be a more appropriate solution. 

L3 Networker

@BPry & @OtakarKlier I agree completely, thank you for the replies.

 

All of the users are internal to the company, we are just trying to restrict the access based on the different locations they are in on the network. The inside and outside references are to a secure vlan (inside) and normal user (outside). The different URI locations are for transferring files in and out of the secure environment. 

 

I think I would have ended up with a novel trying to explain that without your statement referring to the inbound URL filtering. I had not even thought of it as inbound filtering, I was looking at it all from the users side. The only thing that is causing me issues, right now, is trying to block access to the rest of the site and only allowing access to the specific URIs.

 


Bruce.

Learn at least one new thing every day.
  • 1415 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!