08-10-2011 08:08 PM
You can setup a URL filterig profile with allowed sites and block the rest.
Security rule for the source can be setup trust to untrust allow and apply the security profile.
The security profile will scan the traffic after it matches the allow/deny condition and will allow only sites allowed.
08-10-2011 08:37 PM
That's just the thing. I don't find the place where I can add URL addresses. Perhaps I'm not in the right place. I'm looking under policies , new, security policy I just want to allow this host to get out to one site on the web. Thanks, Leo
08-10-2011 09:29 PM
You'll find what you're looking for under Objects tab > Security Profiles section > URL Filtering link. Either edit an existing profile or create a new one. You'll find a Block List and an Allow List. You'll need to commit the configuration change for it to take effect.
08-11-2011 05:37 AM
thanks for pointing me in the right direction but I'm affraid what I do there will affect everyone. I just need to restrict a single host on the network to be able to get out only to one site. I dont want to enforce that on everyone. I dont see a way to target that list from anywhere else.
08-11-2011 05:46 AM
Follow jdavis advice and create a _new_ URL filter profile. Then use this in a new firewall policy that targets that specific network host.
Just make sure that the new policy is above any other policy that allow web browsing.
08-11-2011 05:52 AM
Try creating a new URL filtering profile that will only be used to control traffic from your single host.
Any changes made in this new profile will not affect users of other profiles.
Enter the URL you want to allow in the allow list and block the rest. Then in your security policy, add a rule to apply your new URL filtering profile to just traffic originating from your single host.
08-11-2011 05:54 AM
Thanks guys, I had neglected to select "profiles" from within the actions tab. That's why I didn't see the url filter I created.
I will now commit this policy and cross my fingers that it works.
I'm now wondering if I need to create another filter that blocks everything and they apply both to the host so that only the site I specified in allow will work. We'll see.
Thanks again for your help!
08-11-2011 08:14 AM
Just to provide you mode details:
1. Allow list: you allow any URLs on the list without logging
2. Block List: by default you are blocking URLs on the list with logging
3. Category: you can choose to alert/block/allow/continue/overide any URL access
As you can see category gives you more option on details. It maybe better for you to:
1. go to object->custom URL category
2. manual input the list of URL you want to allow
3. go back to the policy to create a URL profile
4. keep the whitelist and blocklist blank
5. on the right hand side set all the action to be block
6. on the right hand side find out the custom category you have just created (there will be * at the end of the category name to indicate that is a custom category)
7. change the action for this specific the custom category. E.g if you just want to allow them without logging choose allow; if you want to allow them with logging choose alert; if you want to provide a warning page before you allow them choose continue.
Now you are using category to control the access, and what you need to do is to update the custom category from object page time to time.
08-11-2011 08:27 AM
Thanks for the feedback. I actually tried using the category list and blocked all of them.
All I want is access to one site. Unfortunately by doing it this way sub-pages within the allowed website fail to load properly. For example I tested with allowing *.cnn.com/* but the only page that opens is the home page. All other subpages within the cnn.com website appear as broken links.
And yes all other sites are blocked and it is displayed in the host browser. So that's pretty cool. I'll keep messing with it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!