How to specify specific users / groups in URL Filtering Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to specify specific users / groups in URL Filtering Policies

L1 Bithead

Hey guys!

 

We got a couple of 7050s in our Data Center with URL Filtering license, and we are planning to implement the URL Filtering feature. 

 

I understand first thing is to create the URL profile with the allowed / denied categories and attach it to the Security Policies that allow outbound Internet access.

 

But my concern is how to enable the use of specific users or groups to those security policies? 

 

I have enabled User-ID agent in my environment, the User-ID agent is retrieving the user to IP address mappings from the Domain Controllers, and my Firewall is already talking to the User-ID agent!

 

However, could anyone let me know if I still need to add some LDAP configuration to my Firewall? Or if I'm ready to implement Web Filtering to specific users.

 

Kind Regards!

1 accepted solution

Accepted Solutions

I would start here:

 - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222

 

You don't need to do LDAP authentication based on your original question.  Your main goal is to get the firewall to download a list of LDAP groups and the names of the users in each of the groups.  

 

With this in place, you can create security policy based on username and/or LDAP group.  

View solution in original post

6 REPLIES 6

L7 Applicator

I would configure LDAP so that the firewall can pull in groups of users.  

 

At the top of your security policy, create a couple of group-based overrides.  Assuming you generally block adult + gambling sites, create two groups in your LDAP server, "URL-adult" and "URL-gambling".  

 

Next, create a single URL filtering profile called "override alert URL", with action=alert for all categories.  Attach that profile to these override rules.  

 

Then you can create security policies that look like this:

 

from trust to untrust, user=URL-adult, application=web-browsing+SSL, URL category=adult, action=allow

from trust to untrust, user=URL-gambling, application=web-browsing+SSL, URL category=gambling, action=allow

 

 

lather, rinse, repeat for the URL categories where you need to provide an override and commit your changes.  

 

The nice thing about this is that you only need to add a user to the LDAP group in order to permit them access to an overridden category.  (The firewall refreshes LDAP groups every 60 minutes, so you may need to wait that long for it to work - or perform a manual refresh via the CLI).

 

If you want to warn your user that they're visiting a normally-blocked website because they have override privileges, modify your URL filtering profile from "override alert all URL" with action=alert, and change all of the actions=continue.  This way, if someone is visiting an overriden webpage, they're shown the block/continue page with a customizable warning and must click "continue" in order to visit the overriden webpage.  

Hi Valentine,

 

Thank you so much for your answer, that's exactly what I need. I need my firewall to be able to pull in groups of users.

 

I was with the idea that user-ID agent would give me the capability to define groups of users to my Security Policies, but I see that additionally I need to configure LDAP.

 

I found the below documentation, could you let me know if that should be enough?

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-ldap-authen...

 

 

 

Thank you!

I would start here:

 - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups#_74222

 

You don't need to do LDAP authentication based on your original question.  Your main goal is to get the firewall to download a list of LDAP groups and the names of the users in each of the groups.  

 

With this in place, you can create security policy based on username and/or LDAP group.  

Those 7000 series firewalls can handle up to 10,000 LDAP groups so you should be good to go!

Hey Valentine!

 

Thank you so much for the provided assistance, and documentation. I confirm now I'm able to create Security Policies based on username, and LDAP groups.

 

 

 

Kind Regards!


@Wald wrote:

Those 7000 series firewalls can handle up to 10,000 LDAP groups so you should be good to go!


Is it correct if we assume the maximum number of groups we can add per virtual system (Group Include List and Custom Group tab combind) will still be 640 groups?

  • 1 accepted solution
  • 10161 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!