LDAP group based rules versus Policy based URL filters

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP group based rules versus Policy based URL filters

L3 Networker

I am coming from an M86 (8E6) R3000 and Surfcontrol install to the Palo Alto URL filtering.   I have multiple AD groups in my AD that are specific to URL filtering on the M86 R3000.

I am re-using those groups on the Palo Alto to recreate my functionality...  One group is "Blocked Internet Users."   I have LDAP bound to my PA through my GC servers, and have successfully imported groups into the PA User Identification.  I installed the policy, then was able to add these groups to security policies.   So far so good.

I'm trying to understand how the Palo Alto handles AD groups.   In the M86, I had a tab where I could state the priority of group mappings.  So if someone was a member of "Department Cafe" as well as "Blocked Internet Users", the M86 would look at my group priority to determine which policy to apply.

The M86 is taking an IP, finding the user, looking up group membership, and applying that complete group policy to the traffic.

The Palo Alto is taking the IP, looking up the user, looking up the group membership, and then applying a single rule if the user is a member of the listed groups.  

So If I want to have a rule that allows "Department Cafe" out to the Internet, and I want to block certain users including some in the Cafe from all access to the Internet then I simply need to place the rule blocking "Blocked Internet Users" above the rule allowing "Department Cafe" to the Internet...(right?)

A)  what happens if LDAP enumeration fails for a while and "Blocked Internet Users" becomes an empty list?   Does the rule using that group simply not apply, or does it then apply to ALL users?  

B)  How can I tell which users the Palo Alto thinks are in certain LDAP groups?    Having a 15 year history in URL filtering, all platforms I have used have at times not matched what is in domain for some reason or another.  On the M86 I can right click and display members of an LDAP group.  I can see from this that LDAP synchronization is failing..  How can I do this on the PA?

Thank you


L3 Networker

Soooo is there any good guide for setting up URL filtering on the Palo Alto?   For example, I created a "Whitelist" list of URLs.  Now, I can create a rule that has this as the Service/Category and set it above my other rules, or I can create my other rules with Actions/URL Filtering and configure each one with a URL Filtering policy that has that whitelist set to allow.

Is there a preferred way of doing this? 

What happens if I combine the Service/URL Category (URL Category specified) with Actions/URL Filtering?   Will it first check the destination IP address against the URL Category, and then apply the URL Filter on top of that?  (So if somethings in two categories I could allow it in one while I block it in the other?)

Hopefully these documents might be helpful for you regarding url-filtering:


When you do url-filtering I would strongly recommend you to also perform ssl-decryption.

A) I think it would handle it has an empty group then meaning that the particular rule would never match, which might be good or bad depending on if the rule is to allow or to block access.

B) Usually CLI is recommended to do troubleshooting. I think the PA will list in GUI aswell but paged result (like 100 users/page or such).

Each column in a particular security rule must match before this security rule will be a hit. The PA uses top-down first-match so in your case something like:

1) Blacklist

2) Whitelist

3) Everything else

4) Default deny + log

might be a good setup.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!