I am running PanOS 4.1.7, migrating from a Checkpoint R75 platform. I have a lot of rules in place, but we are heavy into excpetions. I keep running into situations that would be very easy to handle if I simply had the Negate option.
For example, I have a rule that allows domain users out to specific web apps using my URL filtering, along with data filtering, and other policies in a single rule.
I have around 20 of these rules based on AD user group.
Below these rules, I block access to the Internet. If someone fires up a non domain VMware guest and uses a bridged connection, they basically get no Internet access.
At the top and then in the middle of these rules, I have application filters blocking apps such as proxy, DNS, video, audio, etc. The location is based on which users can use these apps.
The problem is I need to block things like http-audo and http-video, yet exclude specific sites from this blocking for everyone.
Life would be a lot easier if I could block using an application filter, while negating my URL custom category of "white listed sites." Or if I could create a rule that blocks by application filter to all users while negating a specific AD user group.
I know how to make this work with 4.1.7, I just really would love to see more Negate options in future releases.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!