This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How paloalto security roles work

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How paloalto security roles work

Fagani
L2 Linker

‎09-27-2022 12:31 AM

Hello Everyone


I want to know about Paloalto security roles. I mention the problem I have


In our system, there are many roles for internet access. All roles are assigned with active directory groups.
A user can have one or more internet roles.
For example: One user can have both "low internet" and "social internet". And the url filter of each one is different.
It used to work with this rule, but now according to policy role rules, whichever role is higher, it works. There is no request for the second role.
Please help me on this. What can I do to make all roles work regardless of their location in the previous order.
For example, when you enter youtube.com, the request should be addressed to the "social-internet", not the "low-internet"

 

Thanks in advance.

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎09-27-2022 11:53 AM

Hello,

The firewall reads the policies from top down and left to right. Once it finds a matching policy to the traffic, it applies that policy and stops looking for more. So its a balancing act to how to order your policies so that one does not over ride the others. So for this case, lets say the 'low internet' policy is rule 50 and 'social internet' is 55. If the traffic matches both, it will only use the 'low internet' policy since its 'higher' in the list. If the traffic only matches the 'social internet' policy, it will apply that policy. 

 

Hope that helps.

Fagani
L2 Linker
In response to OtakarKlier

‎01-31-2023 02:18 AM

Thank you very much. 

0 Likes Likes

Adrian_Jensen
L6 Presenter
In response to Fagani

‎01-31-2023 08:48 AM

Note that you can also create custom URL Categories and use that custom object as a filter in your Security Policy. So, for instance, you can make a "Youtube" URL Category with "youtube.com/, *.youtube.com, youtu.be/, *.youtu.be/" entries. Then have a Security Policy "Allow-Internet-Youtube" with filters for the userID and "Youtube" URL category to match outgoing traffic. Only the matching users going to the listed Youtube URLs will match and be allowed. Matching users who are not currently going to Youtube (and other users, etc.) will fall back to the low-internet general access Security Policy.

 

We use this strategy to allow specific users to access various social media sites in unique combinations (i.e. Alice can access Instagram/Facebook/Twitter, Bob can access Facebook/Twitter, Carol can access Instagram). Only the matching URL traffic goes through the specific Allow- rule

  • 1615 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks