Help with "Deny All, with whitelist of domains"

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with "Deny All, with whitelist of domains"

L0 Member

I have been trying to test out a new policy that will need to be implemented by our security team. This involves a Deny All rule, with a rule right above it that allows a list of domains. These domains include SaaS services, Cloud, and other domains that users must access to achieve daily production. 


I have tried to make the whitelist based on FQDNs, but I am running into a problem when we have CDNs that are embedded in the destined location. I was able to monitor the 3rd party content and whitelist those URLs as well, but we are still having and issue when some of the domains might have some type of GLB on their end. The PAN does cache 10 IP addresses per FQDN at a time, but I'm afraid that it might not be enough.


We have discussed the options of a web proxy, but I am just curious if anybody has any better ideas on achieving this end goal, specifically with the PAN.


L4 Transporter

For DNS domain based rules, you better use the URL filtering functionality. You could create a custom URL category and add all necessary domains to it. Then only allow this custom URL category. This also works without URL filtering license.

When I spoke to PAN, URL Filtering only applies to HTTP and HTTPS traffic. Therefore, I don't think that it would work for applications.

That´s right, I assumed it were web based applications which are accessed via HTTP/HTTPS. Maybe there is an AppID signature for your particular applications? Do you have examples?

  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!