Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-31-2016 12:41 PM
Here is my dilemma:
I have an appliance that is accessible over the internet. I need the public to be able to access this (it is for web conferencing). The admin portal is also available. I would to block access to the admin portal over the internet, and make it only available from my LAN (via its private IP).
Let's say that the URL is: https://mysite.mycompany.com
The admin site is: https://mysite.mycompany.com/admin
Is there a way to black access to /admin, but still allow traffic to the other site?
05-31-2016 01:32 PM
Depends on what version of PAN-OS you're on.
From version 6.1.X on, you're good. Follow these guides (Essentially you'll just want to create a custom URL Object and use it in policy based upon how you desire to allow or deny on a case by case basis:
"For example: If you want to prevent a user from accessing any website within the domain paloaltonetworks.com, you would also enter *.paloaltonetworks.com, so whatever domain prefix (http://, www, or a sub-domain prefix such as mail.paloaltonetworks.com) is added to the address, the specified action will be taken. The same applies to the sub-domain suffix; if you want to block paloaltonetworks.com/en/US, you would need to add paloaltonetworks.com/*as well."
"PAN-DB can now categorize content down to the page level instead of just at the directory level. Because the pages within a domain can belong to multiple categories, this capability provides increased accuracy in filtering content and prevents potential over-blocking of web content. If, for example, you block malware and allow access to business/ news content for users on your network, they can access http://www.acme.com/c/news.html because it is categorized as news/business, but be denied access to http://www.acme.com/c/malware.exe because PAN-DB categorizes the full-path for this web page as malware. "
06-05-2016 05:03 AM
You should also check with your conferencing software vendor. Many of them anticipate this problem and provide mechanisms to restrict Admin access at the application level on the server. They also might provide options for role separations so that your public facing server does not have these features eabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
