This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Recommended way to do whitelists/allow lists?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Recommended way to do whitelists/allow lists?

Go to solution
networkadmin
L4 Transporter

‎02-12-2010 11:26 AM

We've just purchased a PA box.

AIUI the recommended way to do a rule that allows (for example) all PC's access to www.domain.com would be to create a URL filtering profile that blocks all categories, and then to add www.domain.com to the allow list of that URL profile.

Then create a rule (likely towards the bottom because of the "block" action for all other URLs) that uses that URL profile.

The problem I can see with that is that if any PC that doesn't normally have internet access tries to access any sites, and they get as far as that rule, rather than falling through to the default "deny all" rule, it will be logged as if they've been trying to visit somewhere/something and it's been blocked by URL filtering, which is slightly different to what I want which is for it to ignore it and only log on that rule if someone visits www.domain.com.

Have I missed something in how I should be doing this?

Thanks.

8 REPLIES 8

Go to solution
networkadmin
L4 Transporter
In response to fredallee

‎02-18-2010 03:59 AM

Thanks, slightly counter-intuitive but makes sense now.

0 Likes Likes

Go to solution
frank_henry
L2 Linker

‎06-09-2011 07:47 AM

I'd like to formally request that whitelisting exist as a seperate function - apart from URL blocking.  We  have the need to allow only certain domains/urls some of which resolve to Akamai address space which changes randomly.  We also have NIST requirements to LOG everything in a CONSISTANT format.    I suppose we will have to continue to do weekely resolves of the hosts and manually change the destinations until this becomes available.  No fun, that.

0 Likes Likes

Go to solution
dlopez
L1 Bithead
In response to frank_henry

‎06-09-2011 10:55 AM

@ Frank Henry

Make a new URL profile. Add *.akamai.com to the Allow list, set your categories to alert or block on the right, and you are done.

What else do you need?

0 Likes Likes

Go to solution
frank_henry
L2 Linker
In response to dlopez

‎06-09-2011 02:32 PM

When demoing the product, I could not get this to work.  We don't have any desire for URL subscription license, so we cannot BLOCK ALL then have an allow 'whitelist'.  Tried to block *.* and an Allow List, but the Allow List is processed after the Deny List instead of before so the wildcard blocks access.

This is why we'd like to see a whitelist destination 'group' (for lack of a better term) to put into the destination field in the policy.  Obviously the strings in this group would only be applicable to HTTP/HTTPS/FTP.. URIs (and their associated applications/services).  Again, allowing by URI and not the named derived from reverse lookup would be invaluable to many here agencywide and I'm sure to many organizations. - I don't know of any other product that offers this and think it could be a differentiator.

Thanks!

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks