This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-500 Url Filtering

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 Url Filtering

ITBT
L1 Bithead

‎10-21-2015 11:18 PM

Hello,

i have another problem with policies...

 

I used AD to filter people which can access the appropriate site. 

 

And I have rule in order:

1. Allow facebook (when I give access to whole facebook application)

2. Allow Youtube (when I use url filtering)

 

In my opinion when user who is in group allow_facebook and allow_youtube and want to open the facebook site are using first rule and can open the site?

 

But in my network this user use second rule and he has information about blocked site....

 

I don't know what I do wrong..

0 Likes Likes
3 REPLIES 3

cpainchaud
L4 Transporter

‎10-22-2015 01:59 AM

check from CLI that said user is really in allow_facebook group if the rule is not applying to him.

0 Likes Likes

DarinSutton
L4 Transporter

‎10-22-2015 07:07 AM - edited ‎10-22-2015 07:07 AM

Is the rule/application it specifically for Facebook-BASE

Does that first rule allow the traffic for another user?

in otherwords can another user from the approved 'AD OU' group get to the site

 

you want to determine is it a user issue or a security policy issue

 

When you look in the logs afterward - filter by user name and see which policy that traffic is hitting

 

0 Likes Likes

Gregoux
L4 Transporter

‎10-23-2015 08:31 AM

Hello 

 

could you verify this counter

show counter global filter | match url_request_pkt_drop

 

you obtain something like this

url_request_pkt_drop    334056   10 drop   url   pktproc  

and 

if you have some drop packet it's du to the  waiting time for url categorisation  request

 

to resolve this

modify this parameter

set deviceconfig setting ctd url-wait-timeout 

and define a value greater than 5 and less than 60

 

by default panos use a value of 5 s and  the PA-500 is to light to process the categorisation and takeover the limit of 5s

you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query

 

regard's

 

you can find more info 

https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to...

 

0 Likes Likes
  • 2903 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks