Recommended way to do whitelists/allow lists?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Recommended way to do whitelists/allow lists?

L4 Transporter

We've just purchased a PA box.

AIUI the recommended way to do a rule that allows (for example) all PC's access to www.domain.com would be to create a URL filtering profile that blocks all categories, and then to add www.domain.com to the allow list of that URL profile.

Then create a rule (likely towards the bottom because of the "block" action for all other URLs) that uses that URL profile.

The problem I can see with that is that if any PC that doesn't normally have internet access tries to access any sites, and they get as far as that rule, rather than falling through to the default "deny all" rule, it will be logged as if they've been trying to visit somewhere/something and it's been blocked by URL filtering, which is slightly different to what I want which is for it to ignore it and only log on that rule if someone visits www.domain.com.

Have I missed something in how I should be doing this?

Thanks.

1 accepted solution

Accepted Solutions

There is no way to turn off logging for URL categories with the action of block. You can alert on URL categories, but that simply allows the URL and logs the event. If all categories are blocked and you put your allowed URLs on the block list with an action of alert, we would log all of the URLs, and then when searching for logs use the filter expression "(action eq alert)" to only see the logs associated with what was allowed. I hope that makes sense.

View solution in original post

8 REPLIES 8

L5 Sessionator

Hello,

You can be granular about the traffic you want to hit the block/whitelist when you create the policy.  You can specify by source address, address group, user or user group, which traffic the rule will affect.  If you have a private network and want to log their traffic only when they hit your example www.domain.com, you can create a policy for those addresses/users allowing traffic to only that site. Anything else will hit the deny rule and be ignored.   You may want to contact Support to have them assist with your policy creation.

Thanks for the reply, much appreciated.

Generally the issue seems to be when we have domains or hostnames with variable IP's, for example we may want to allow all computers to access *.bbc.co.uk, or allow our linux machines only to be able to access rhn.redhat.com.

I don't think I have an issue with creating the rule(s), I'm just unsure if the logging is logging what I want (which is only traffic allowed by that rule) as opposed to all the stuff denied by that rule, if you see what I mean?

Thanks.

The PAN doesn't log allowed traffic.  You could create a URL profile where you blacklist rather than whitelist the sites you want to log and  chosse the "alert" option in the blacklist rather than "block" and any hits on those site will be logged.

There is no way to turn off logging for URL categories with the action of block. You can alert on URL categories, but that simply allows the URL and logs the event. If all categories are blocked and you put your allowed URLs on the block list with an action of alert, we would log all of the URLs, and then when searching for logs use the filter expression "(action eq alert)" to only see the logs associated with what was allowed. I hope that makes sense.

Thanks, slightly counter-intuitive but makes sense now.

L2 Linker

I'd like to formally request that whitelisting exist as a seperate function - apart from URL blocking.  We  have the need to allow only certain domains/urls some of which resolve to Akamai address space which changes randomly.  We also have NIST requirements to LOG everything in a CONSISTANT format.    I suppose we will have to continue to do weekely resolves of the hosts and manually change the destinations until this becomes available.  No fun, that.

@ Frank Henry

Make a new URL profile. Add *.akamai.com to the Allow list, set your categories to alert or block on the right, and you are done.

What else do you need?

When demoing the product, I could not get this to work.  We don't have any desire for URL subscription license, so we cannot BLOCK ALL then have an allow 'whitelist'.  Tried to block *.* and an Allow List, but the Allow List is processed after the Deny List instead of before so the wildcard blocks access.

This is why we'd like to see a whitelist destination 'group' (for lack of a better term) to put into the destination field in the policy.  Obviously the strings in this group would only be applicable to HTTP/HTTPS/FTP.. URIs (and their associated applications/services).  Again, allowing by URI and not the named derived from reverse lookup would be invaluable to many here agencywide and I'm sure to many organizations. - I don't know of any other product that offers this and think it could be a differentiator.

Thanks!

  • 1 accepted solution
  • 7134 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!