Per-User URL Filtering Process

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Per-User URL Filtering Process

L0 Member

Can someone give me a break down of what the process flow is like?  For example, Is a lookup done for the user then an IP mapping happens?  Are the user-ip mappings being used for the decision in the filtering process?

 

The reason I ask is that I have users connected via a VPN device the filtering doesn't seem to work.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

each part is separate

 

user-ip mapping is accomplished either by a user logging onto his domain computer in the office and the login being picked up by an agent/agentless deployment, or a user logging into GlobalProtect VPN (establishing the tunnel)

the mapping is then stored in the cache on the firewall

 

when the user makes a connection, the security policy is checked to see if the connection will be allowed (at the TCP level).

when the application is identified, the firewall passes the session through the security policy again to find a matching rule for the source user and application to match and if a matching policy is found, the session is again allowed to carry on

 

if the application is web-browsing and the session is allowed, this will also trigger a url filtering lookup (local cache > cloud lookup) to determine the url category and then apply the URL filtering policy (so the TCP connection could be allowed but the session could get blocked at layer7 by the url filtering profile at which point a block page is presented to the user)

 

so you'd want to check the user mapping first, see if he's being identified and mapped properly

> show user ip-user-mapping ip <ip/subnet>

next, you'll need to check if the group (assuming you used an LDAP group rather than standalone usernames in your security policy) contains his username on the firewall

> show user group list
> show user group name 'cn=group,cn=users,dc=example,dc=com'

if both match, check if there aren't any security policies preceding your policy that could be blocking your connections/allowing them though

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@MarcusReams,

When the user is connected to the VPN do you have an active ip to user mapping? You can verify this within both the data-plane and the management-plane by running the CLI command show user ip-user-mapping all for the dataplane mapping and show user ip-user-mapping-mp all for the management plane. If you have a larger userbase you can specify a user by either the ip address by running show user ip-user-mapping ip 10.191.17.6 for example or by just piping the command a looking for a user in particular. 

I would verify that they even have a user mapping; from what you are describing they do not, or the mapping that you have built around is not what the user comes across as when logged into the VPN. 

Cyber Elite
Cyber Elite

each part is separate

 

user-ip mapping is accomplished either by a user logging onto his domain computer in the office and the login being picked up by an agent/agentless deployment, or a user logging into GlobalProtect VPN (establishing the tunnel)

the mapping is then stored in the cache on the firewall

 

when the user makes a connection, the security policy is checked to see if the connection will be allowed (at the TCP level).

when the application is identified, the firewall passes the session through the security policy again to find a matching rule for the source user and application to match and if a matching policy is found, the session is again allowed to carry on

 

if the application is web-browsing and the session is allowed, this will also trigger a url filtering lookup (local cache > cloud lookup) to determine the url category and then apply the URL filtering policy (so the TCP connection could be allowed but the session could get blocked at layer7 by the url filtering profile at which point a block page is presented to the user)

 

so you'd want to check the user mapping first, see if he's being identified and mapped properly

> show user ip-user-mapping ip <ip/subnet>

next, you'll need to check if the group (assuming you used an LDAP group rather than standalone usernames in your security policy) contains his username on the firewall

> show user group list
> show user group name 'cn=group,cn=users,dc=example,dc=com'

if both match, check if there aren't any security policies preceding your policy that could be blocking your connections/allowing them though

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the feedback. 

  • 1 accepted solution
  • 2078 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!