This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Policies - Security - Rule shadowed by 2nd rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policies - Security - Rule shadowed by 2nd rule

robert_smith
Not applicable

‎11-13-2012 07:49 AM

Much like an access list on a cisco router top to bottom. I recently created 2 rules for our 3rd party ISP to connect internet sticks via our firewall.

1st rule - Allow all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Allow), No profile type.

2nd rule - Deny all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Deny)  Profiles Type "Profile", URL Filtering (VPN use only) which has allowed sites and blocked sites that I created.

However, when I commit the rules, I get an message "Security Policy: Rule Telus Internet Allowed urls" shadows rule "Telus Internet disallowed urls".

I'm not certain which to change. Any ideas?

Rob

Labels:
0 Likes Likes
1 REPLY 1

mikand
L6 Presenter

‎11-14-2012 01:02 AM

What about this?

1)

srczone: Trust VPN

srcip: telus

dstzone: any

dstip: any

profile: URL Filtering (VPN use only)

options: log on session end

action: allow

2)

srczone: any

srcip: any

dstzone: any

dstip: any

profile: none

options: log on session end

action: deny

The thing is that your "allow" (which you see in the security policy) is based on ip header while url filtering profile takes care of what you will allow/block based on url.

However, if I recall correctly, another method is to only have allowed urls in your URL filter profile and let the default deny in the bottom take care of the blocking.

Like so:

1)

srczone: Trust VPN

srcip: telus

dstzone: any

dstip: any

profile: URL Filtering (Allowed for VPN)

options: log on session end

action: allow

2)

srczone: any

srcip: any

dstzone: any

dstip: any

profile: none

options: log on session end

action: deny

  • 2484 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks