Multiple policies that use URL allow lists?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple policies that use URL allow lists?

L4 Transporter

I have a query regarding multiple rules to allow access to URL whitelists.

Let’s say I have rule1 that allows “any” on my LAN to a URL profile that blocks everything but only allows access to url1.com.

I then want to have rule2 that only allows “some servers” access to only url2.com.

The problem is that the URL filtering profile on the first rule stops the request for url2.com from ever reaching the rule that allows it.

Seems a simple enough thing to want to do so I must be missing a step/technique in how I'm doing it?

Thanks.

7 REPLIES 7

L4 Transporter

I believe the simplest solution would be to reverse the order of the rules so that "some servers" hit their rule first and then add url1.com to the URL filtering profile so that "some servers" have access to both url2.com and url1.com.

Mike

Thanks Mike, I guess that would work though it's not ideal as it means maintaining two sets of overlapping URL profiles (AFAIK you can't "group" URL profiles can you?).

Are there any plans to bring in an option to have allow lists where if the URL is not on the allow list the request simply drops through to the next rule?

Understand the complexity. The custom URL categories feature in 3.1 should simplify this a bit as you could keep the profiles static and simply add the URLs to the custom categories and they would get picked up by the necessary profiles automatically. We don't have plans to allow traffic to drop through to a secondary rule.

Mike

Ahhh OK, so instead of multiple URL profiles that serve only to have an allow list, you create a URL category called "ms-update sites" or "global whitelist" and set those to allow on the URL profiles instead of duplicating/overlapping the URLs in the "allow" box?

I think that would make things a bit simpler to manage so I'll look at the documentation/PanOS manual.

Presumably 3.1 is considered stable/production ready?  I ask as whilst I believe 3.0.8 is more "mature" I'm unsure quite what you'd consider the deciding factor between whether to deploy 3.0.8 or jump to 3.1 (we're on 3.0.6 right now)?

Thanks.

Yes. You get the approach.

As far as 3.0 vs. 3.1, that is a decision you will need to make. As Nancy pointed out, if you don't need features of a new release, it is generally safer to stick with what has been shipping for a while. That said, I always want the new features! We will absolutely stand behind 3.1 as a release you can use in deployment. We have many customers that have already upgraded and I expect many more will in the near future. There may be bumps along the way, and early adopters may run into more of those than if they would have waited. At the end of the day, we will continue to push the envelope of innovation with new releases and may introduce bugs along the way. We do our best to avoid that and our excellent support team will help to work through them quickly if they do occur. We will continue to support both the aggressive and conservative customers. While I am aggressive and would go with the latest, you need to do what you feel fits your comfort level.

Mike

Brilliant thanks Mike, I may wait for 3.1.1 (or the first "bugfix" release) but sounds like a plan.

we are trying to setup category filtering where users can be part of multiple groups.

It will be nice to have an ability to customize URL profiles so you can add/remove specific category for specific group so  it only matches selected category including custom category, that way it will move on to next firewall rule. Looks like only way you can accomplish is by specifying application and not choosing URL profile.

  • 3286 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!