How do I block all URL traffic but a select few?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I block all URL traffic but a select few?

L0 Member

This question has been asked in a couple of different ways without a definitive answer that I can find.

My challenge is that we have an external engagement space where designers (internal and external) collaborate on projects. Users thin client into the environment and do their work with data and information going into the secure environment where it stays until project completion.


Originally management stated that there would be no need for internet browser access and all agreed that from a security perspective that was a good thing. Well now there is a need for a handful of links to a few sites to pull data in for the design process.

We're running 4.x OS without URL filtering license which I don't think we'd need for this, although I've tried it on another box that had it. I've tried a number of configurations based in large part to earlier questions / posts to no avail.

So has anyone done this ... block all but a few select URLs or sites?

thanks, dan

1 accepted solution

Accepted Solutions

L0 Member

To those who've pitched in on this I say thanks ... we now have a working solution although there was no single response that had a definitive answer due to a few caveats as I'll detail below.

A couple of observations about this topic.

  1. A URL filtering license IS NOT required to create and administer specific user-defined URL filters
  2. Read and understand what can and cannot be done with url filters and specifically wild cards ( refer to help under: *Objects > Security Profiles > URL Filtering ). Pay special attention to the syntax.
  3. When creating the policy be aware that binding the browser ports to 80/8080/443 as defined in the pre-defined 'service' (under Policies > Security > [your] Security Policy Rule > 'Service/URL Category') will break (as intended) any url that needs to run on something other than one of these native ports (see explanation below).
  4. Do not precede your filter definitions with 'http or https' (see number 2 above)
  5. Do not attempt to include specific port numbers in your URL filter as the command interpreter will accept this but it doesn't appear to work (use a wild card in place of the port number). <<< someone may want to double check me on this one >>>
  6. A custom URL category to 'Block All' only need contain the single character " * "
  7. If you desire to allow only a specific (lengthy) URL and not everything 'upstream' (think of a directory structure) special care must be taken when creating not only what is allowed but what is denied.

What we did....

There are 4 basic steps:

  1. Define the custom URL category for what is banned or blocked (Objects > Custom URL Category).. " * " works if you want to block everything or you can do something like " wiki.info.acme.com/* " .... this blocks everything below this high level URL (but what about exceptions? .. see # 2 below)
  2. Create a new Security URL Profile (Objects > Security Profiles > URL Filtering). Call it something like 'URL Filter'. In the category field select the custom category you created in step 1 and ensure it is set to action = block. In my case I set all the categories to 'block' even though we don't have a URL filtering license.
    2a. While still in the URL filtering profile section put the URL you want to allow in the 'Allow List' box on the left side of the dialogue box. These are the exceptions to what is blocked and take precedence over what is defined in the categories. Pay special attention to the syntax (see observations # 2 and 4 above)
  3. Create a new policy to permit the special URL (Policies > Security). Call it 'Selective URL Permit'. In the application section you can select any, or 'web-browsing' if you want a bit more security. If your URL does not use native ports (80/8080/443) DO NOT  select http/https as services under the 'Service/URL Category' tab. In the Actions tab select "URL Filter" as configured in step 2 above.
  4. Commit the change

What goofed us up in this was a combination of: not being sure the URL license was or was not needed; the fact that the URL we were working with did not use native ports; confusion over the 'service' function in the Security Policy Rule; syntax errors; uncertainty over how long a URL filter could be.

I hope this helps .. bottom line is we needed more clues to make it work and the time to experiment ... like most things, it was simple once we got past a few hurdles.

Dan

View solution in original post

5 REPLIES 5

L6 Presenter

It should work if you setup your security rules something like this:

From zone: Clients

From address: <client>/<range>

From user: AD/Specific group

To zone: Internet

To address: <webserver>/<range>

Url: www.example.com / example.com (this column is usually hidden - either you set this directly on the security rule or you go through the options->url and manually type in the allowed urls).

Appid: web-browsing (or whatever its being identified as).

Service: TCP80

Action: Allow

Options: Log on session end

From zone: Any

From address: Any

From user: Any

To zone: Any

To address: Any

Appid: Any

Service: Any

Action: Deny

Options: Log on session end

Url-db licens is not needed if you manually setup your urls as described above.

However in your situation I would investigate if its possible to use curl on a dedicated server which would act like a webcache and then only allow this server (along with the above url filter etc) to access the internet.

This way perhaps only the files needed will be pulled from the internet and made available for the clients without the clients having to browse on their own (this way you lower the possiblity of driveby junk which the sites could suffer from - even if the PA hopefully would catch such things there is still a few percents of threats that the PA (or competitors) wont detect).

L2 Linker

I believe what you are looking to do is explained in this document:

Can URL Profiles be used if there is No URL Filtering License?

Basically you just need to create custom URL categories for what you want to allow, include these in a profile applied to a security policy, and it should block everything else. I would have thought you could have also used the Block/Allow list in the URL profiles, although I haven't tried this and the admin guide and other documents makes it seem like you can't.

I'll try the zones approach ...

Regarding the document: Can URL Profiles be used if there is No URL Filtering License? ..... I've tried this with numerous tweaks but no luck.

I would try turning on the URL Category column under the security policies and then for the sites that you wish to access create a custom URL category with those sites listed and then create a URL filtering profile and set the action for the custom URL category to allow or alert. Then create an allow  security policy with the URL category of your custom category then apply the URL filtering profile to the policy. This policy will only be hit when someone tries to access the sites listed in the URL category and allow the traffic. The rest of the traffic will be blocked as normal.

L0 Member

To those who've pitched in on this I say thanks ... we now have a working solution although there was no single response that had a definitive answer due to a few caveats as I'll detail below.

A couple of observations about this topic.

  1. A URL filtering license IS NOT required to create and administer specific user-defined URL filters
  2. Read and understand what can and cannot be done with url filters and specifically wild cards ( refer to help under: *Objects > Security Profiles > URL Filtering ). Pay special attention to the syntax.
  3. When creating the policy be aware that binding the browser ports to 80/8080/443 as defined in the pre-defined 'service' (under Policies > Security > [your] Security Policy Rule > 'Service/URL Category') will break (as intended) any url that needs to run on something other than one of these native ports (see explanation below).
  4. Do not precede your filter definitions with 'http or https' (see number 2 above)
  5. Do not attempt to include specific port numbers in your URL filter as the command interpreter will accept this but it doesn't appear to work (use a wild card in place of the port number). <<< someone may want to double check me on this one >>>
  6. A custom URL category to 'Block All' only need contain the single character " * "
  7. If you desire to allow only a specific (lengthy) URL and not everything 'upstream' (think of a directory structure) special care must be taken when creating not only what is allowed but what is denied.

What we did....

There are 4 basic steps:

  1. Define the custom URL category for what is banned or blocked (Objects > Custom URL Category).. " * " works if you want to block everything or you can do something like " wiki.info.acme.com/* " .... this blocks everything below this high level URL (but what about exceptions? .. see # 2 below)
  2. Create a new Security URL Profile (Objects > Security Profiles > URL Filtering). Call it something like 'URL Filter'. In the category field select the custom category you created in step 1 and ensure it is set to action = block. In my case I set all the categories to 'block' even though we don't have a URL filtering license.
    2a. While still in the URL filtering profile section put the URL you want to allow in the 'Allow List' box on the left side of the dialogue box. These are the exceptions to what is blocked and take precedence over what is defined in the categories. Pay special attention to the syntax (see observations # 2 and 4 above)
  3. Create a new policy to permit the special URL (Policies > Security). Call it 'Selective URL Permit'. In the application section you can select any, or 'web-browsing' if you want a bit more security. If your URL does not use native ports (80/8080/443) DO NOT  select http/https as services under the 'Service/URL Category' tab. In the Actions tab select "URL Filter" as configured in step 2 above.
  4. Commit the change

What goofed us up in this was a combination of: not being sure the URL license was or was not needed; the fact that the URL we were working with did not use native ports; confusion over the 'service' function in the Security Policy Rule; syntax errors; uncertainty over how long a URL filter could be.

I hope this helps .. bottom line is we needed more clues to make it work and the time to experiment ... like most things, it was simple once we got past a few hurdles.

Dan

  • 1 accepted solution
  • 10631 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!