Newbie setting up URL Filtering... can't find an answer by searching.. :-/

Reply
Highlighted
L2 Linker

Newbie setting up URL Filtering... can't find an answer by searching.. :-/

Hi all --

So I was asked by mgmt to block social networking, streaming, etc for all users except administration.  I created a custom URL Filtering profile that blocks those categories, as well as several specific sites.  Under Policies -> Security, I created a new policy called "LimitedInternet", applied to all users, from the trust to untrust zones, and applied the custom, limited URL Filter.  I have another security policy that is only applied to users in our domain's OpenInternet group, which uses the default URL Filter profile.  Here's how it looks --

Untitled.jpg

As I understand, the rules are applied top-down, and once a rule matches, it stops searching. So the first rule should apply to anyone in the OpenInternet group; if the user is not in that group, they should use the second, limited rule and have sites blocked.  As it is, the LimitedInternet rule is applied to everyone, regardless of their group membership.

Can anyone tell me what I'm missing here?  (I apologize if this has been covered elsewhere, I tried searching, honest!)

Thanks -- michael~


Accepted Solutions
Highlighted
L4 Transporter

Hello thatguy,

For the requirement, 1> allowing certain admin users for all categories and sites 2> Block some social categories and some sites for the rest of the users.

The security rules configured and approach is perfect. Group of users are selected in the first rule and they are being allowed for all sites. It is not mentioned here that what URL profile is configured for the first rule ?

Areas to look:

> In the Url filtering logs ( Monitor > Url logs ) pls look for the logs and filter them for what you are looking. If certain users are supposed to be allowed and not allowed to pass traffic or so on select the parameters to be added in filter and we can narrow down the results.

Now click on the magnified icon on the left of each log line to see more details such as security rule, session id, category and so on to understand which rule is taking into effect and there by which url profile.

If you can update us what is the exact issue I can share more details here.

Thanks

View solution in original post


All Replies
Highlighted
L4 Transporter

Hello thatguy,

For the requirement, 1> allowing certain admin users for all categories and sites 2> Block some social categories and some sites for the rest of the users.

The security rules configured and approach is perfect. Group of users are selected in the first rule and they are being allowed for all sites. It is not mentioned here that what URL profile is configured for the first rule ?

Areas to look:

> In the Url filtering logs ( Monitor > Url logs ) pls look for the logs and filter them for what you are looking. If certain users are supposed to be allowed and not allowed to pass traffic or so on select the parameters to be added in filter and we can narrow down the results.

Now click on the magnified icon on the left of each log line to see more details such as security rule, session id, category and so on to understand which rule is taking into effect and there by which url profile.

If you can update us what is the exact issue I can share more details here.

Thanks

View solution in original post

Highlighted
L2 Linker

Thank you Phoenix --

I checked the logs and, indeed, the LimitedInternet security rule is being applied to everyone.

From my original image, the OpenInternet rule should apply only to users in the ptc\OpenInternet domain group, and has the default URL filtering profile attached.  The second rule applies to all other users, and has the LimitedInternet URL filtering profile attached..

The logs show every user is getting blocked by the LimitedInternet rule.

urlfilters.jpg

Does that tell anything?  Thanks again for the reply. 

Highlighted
L4 Transporter

Hello,

Good we narrowed the issue. So this points me to the point that in the rule 1 ( Open internet ) we have the User group defined. If for some reason the device is not knowing the users in this group or so it would not take the rule into effect. Now this would direct us towards user identification troubleshooting.

> To see users in the group list:

show user group name "Group name"

> To find the groups

show user group list

> To see if the user is part of the group, // Use this command to find the user mapping and the group.

show user ip-user-mapping ip <>

If these are not showing the results right, may be need a troubleshooting call to narrow down the issue.

Thanks

Highlighted
L3 Networker

Is the group mapping being configured in user Identification set up ? It is required to pull down the group members from the Ldap and have the mapping between the group and the members of the group . Following link has the document on how to configure group mapping https://live.paloaltonetworks.com/docs/DOC-4994

Highlighted
L2 Linker

GOT IT!!!

It turns out that I originally misconfigured the LDAP settings..  In the LDAP Server Profile, I had our domain as "ptc.loc" instead of simply "ptc", so the users in the group-mapping were listed as "ptc.loc\username", while the user-mapping listed the users as "ptc\username", so they didn't match up.

Thank you Phoenix and knarra1

Highlighted
L4 Transporter

You should consider using "application filters" instead of URL filtering.  Social Networking sites is a great example. 

App_Filter.png

Creating this one App Filter Object named Social Networks, and selecting the subcategory of "social-networking" gives me an object with 88 applications included. If I selected "browser based" as well, the number would reduce to 76 applications.  Now I can use this in a security rule to deny or allow sites. The beauty of this is that in a year there may be one or two new sites that pop up and become popular. As soon as they are detected by Paloalto and added to the database, your existing rule will already be in place and include the new sites based on the subcategory.

SKrall

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!