08-31-2022 03:34 PM
I have read through a number of URL category issues, but I just cannot find something like this and I am baffled so far. I have two users, inside and outside, that access a certain internal webserver. What I am trying to do is the following.
outside:
allow: a.b.com/sites/outside and a.b.com/sites/common
block: a.b.com (the rest of the site)
inside:
allow: a.b.com (the rest of the site), including a.b.com/sites/inside and a.b.com/sites/common (I know they are part of the shorter domain entry)
block: a.b.com/sites/outside
Every time I add the root of the site to the custom categories it messes everything else up that is in place and outside is blocked to everything and inside is allowed access to a.b.com/sites/outside. It is like adding in the root overrides everything and the more detailed entries are ignored.
Where I am right now: I am blocking all other categories as they are not necessary as this is pointing to an inside server. I have four custom categories that I am trying in various combinations to resolve this.
cat-outside (a.b.com/sites/outside)
cat-inside (a.b.com/sites/inside)
cat-common (a.b.com/sites/common)
cat-site (a.b.com)
When I delete cat-site, I am getting a good block and allow for the extended URI entries and both users can also access the root, a.b.com/. When I add in a block for outside for the cat-site, outside loses access to common and outside. It appears that cat-site is overriding the other custom categories. Same experience for inside, I add cat-site allow, and it now has access to outside.
Is there anyway to prioritize the category with more descriptive entries over the more generic?
09-01-2022 08:39 AM
Hello,
I know this is probably not what you want to hear, but URL filtering inbound is not a great solution. Any chance they can VPN in? Also verify that the different categories are not in the same Policy and the policies are configured correctly.
Good luck.
09-01-2022 11:46 AM
Seconding @OtakarKlier, but I'll also offer the option of creating a custom threat signature that you could use and apply to each subset. I'm actually not a fan of using the firewall for stuff like this. A load balancer like NGINX can do stuff like this easily and would be a more appropriate solution.
09-07-2022 08:00 PM
@BPry & @OtakarKlier I agree completely, thank you for the replies.
All of the users are internal to the company, we are just trying to restrict the access based on the different locations they are in on the network. The inside and outside references are to a secure vlan (inside) and normal user (outside). The different URI locations are for transferring files in and out of the secure environment.
I think I would have ended up with a novel trying to explain that without your statement referring to the inbound URL filtering. I had not even thought of it as inbound filtering, I was looking at it all from the users side. The only thing that is causing me issues, right now, is trying to block access to the rest of the site and only allowing access to the specific URIs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
