How paloalto security roles work

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How paloalto security roles work

L2 Linker

Hello Everyone

I want to know about Paloalto security roles. I mention the problem I have

In our system, there are many roles for internet access. All roles are assigned with active directory groups.
A user can have one or more internet roles.
For example: One user can have both "low internet" and "social internet". And the url filter of each one is different.
It used to work with this rule, but now according to policy role rules, whichever role is higher, it works. There is no request for the second role.
Please help me on this. What can I do to make all roles work regardless of their location in the previous order.
For example, when you enter, the request should be addressed to the "social-internet", not the "low-internet"


Thanks in advance.


Cyber Elite
Cyber Elite


The firewall reads the policies from top down and left to right. Once it finds a matching policy to the traffic, it applies that policy and stops looking for more. So its a balancing act to how to order your policies so that one does not over ride the others. So for this case, lets say the 'low internet' policy is rule 50 and 'social internet' is 55. If the traffic matches both, it will only use the 'low internet' policy since its 'higher' in the list. If the traffic only matches the 'social internet' policy, it will apply that policy. 


Hope that helps.

Thank you very much. 

Note that you can also create custom URL Categories and use that custom object as a filter in your Security Policy. So, for instance, you can make a "Youtube" URL Category with ", *,, *" entries. Then have a Security Policy "Allow-Internet-Youtube" with filters for the userID and "Youtube" URL category to match outgoing traffic. Only the matching users going to the listed Youtube URLs will match and be allowed. Matching users who are not currently going to Youtube (and other users, etc.) will fall back to the low-internet general access Security Policy.


We use this strategy to allow specific users to access various social media sites in unique combinations (i.e. Alice can access Instagram/Facebook/Twitter, Bob can access Facebook/Twitter, Carol can access Instagram). Only the matching URL traffic goes through the specific Allow- rule

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!