I am testing paloalto firewall and have a basic question.
How to enable access
to face book to some users , but block the other social networking sites.
I setup a default policy to all users and my default URL policy
is to blocked social networking. Then I created another policy for a group of people, and on application level
choose face book and action allow. Well, If I choose no profile for URL the rule
allow everything. If I choose default url profile, facebook is blocked since social –networking is
blocked . What am I missing here?
You can do the following steps
1)set up a default policy to all users and default URL profile A to block social networking sites.
2) create another policy on the top of the default policy and create another URL profile B and apply this profile to the security policy. In this URL profile block all the social networking websites and in the allow list type this *.facebook.com/*. This will allow only facebook and will block all other social media sites to these users.
The tricky part with Facebook is that they dont only use *.facebook.com but also other domains incl. CDN.
I think I would set it up like:
Rule1) Deny url:Social Networking except custom_facebook.
Rule2) Deny appid:facebook-apps (you can ignore this rule if you wish to allow everything that has to do with facebook).
Rule3) Allow appid:facebook,ssl,web-browsing, url:custom_facebook (where you add *.facebook.com and the other domains needed).
I think in PANOS-5.x the dependencies will be improved so I hope you wont need ssl and web-browsing any longer if you want to just allow facebook (as example), so keep track of this once 5.x is out.
The downside of app-dependencies is that you are (in this example) forced to allow web-browsing, so rule1 should be extended to cover all the other urls you dont wish to allow (that has to do with social networking).
That is because if the traffic is being recognized as something else in the app-db it will be blocked (something identified as youtube will not be allowed with the above rules) - however "unknown http" will most likely be identified as web-browsing and that will be allowed through which gives that url-filtering is the only way to block that hole (since acting on dstip just wont be practically to handle).
Dont forget to enable SSL-termination aswell (so you can inspect and block stuff that goes over SSL even if the PA box can block some traffic even without SSL-termination by looking at the CN field of the certs sent by the server).
Edit: Oops, got the rules in wrong order =)
I setup a default policy to all user and with default URL profile, profile A, which blocks several URL
categories. Also I have several websites
on allow and block list.
If I create another policy B on the top of the default policy A (as per your suggestion) and assign that policy to one or more users it will be their default profile, correct? In that case cloning default policy and adding face book to allow list makes a sense.
However, what will happen if I need to create another policy C which will allow access to Twitter,but block all other social networking website. If I follow the same example and create policy C on the top of the policy B and assign it to one of the user who is already assigned to policy Bhe will lose the access to Face Book. If that is correct, does it mean I need to create another policy which will allow Face Book and Twitter? If that is the case I can easily have hundreds rules.
I was hoping it can be done by creating a policy which will allow an application access ignoring URL category and url allow and block lists.
I am doing the evaluation and I do not have too much time. I thought access to Face book , would be something really easy. When you mentioned SSL termination,I guess I will need the cert for that. At his moment , I cannot use my CA for testing. What would be the steps to generate the cert from the box ?
A single rule cannot allow and deny at the same time.
If you have hundred users where each user is only allowed to visit a specific site then yes you will end up with hundred rules such as:
1) Allow user:a, url:a.
2) Allow user:b, url:b.
101) Deny and log.
PA uses "top-down first-match" which gives that you can group rules and generally speaking your allow rules should be as narrow as possible while deny rules should be as wide as possible.
So if you wish to allow both url:a and b to user:a and b there is no need to use two rules when you in this case can do:
1) Allow user:a,b, url:a,b
X) Deny and log.
You can use openssl to create a selfsigned cert where both the cert and private key is uploaded to the PA device, and then you configure the ssl termination settings (which traffic should be terminated and which cert to use).
Then you load the client with the cert (NOT the private key :smileyhappy:) as trusted CA (or you can jump over this step but then your browser will bug you about insecure ssl because the browser couldnt verify the CA being used).
Edit: More info of ssl termination:
Regarding openssl http://www.akadia.com/services/ssh_test_certificate.html
#openssl genrsa -des3 -out server.key 4096
#chmod 400 server.key
#openssl req -new -key server.key -out server.csr
#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Install server.key and server.crt in the PA box and server.crt as trusted CA on the client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!