Rule syntax/ordering question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule syntax/ordering question

L0 Member

We've just installed a PA-2050 in our school and I'm trying to get it configured with some basic rules but I'm not quite sure I have the syntax or ordering of my rules right to achieve the outcome I want.

The simple side of things that I want to do is allow access to Facebook to members of the Active Directory group Staff Users while denying access to everyone else.

Here are the two rules that are causing me issues

pa rules.jpg

A complicating factor here is that a large number of my students who I'm trying to block here are using their own devices on the wireless and as yet I am unable to identify their AD username which is why I have an "any" in the user field of the deny rule.

Any suggestions as to how I can structure my rules to get this outcome.

The next step will be allowing Facebook and Tumblr to those same blocked users on a schedule but for now, I'm happy with just blocking them outright.

5 REPLIES 5

L5 Sessionator

To allow facebook and tumblr, you need to allow web browsing and ssl if you have not already done so. The rule set you have should allow facebook and tumblr access to the staff users.

If you want to have control over the users who are not identified by AD, I would suggest using Captive Portal which will provide an authentication page before they can access any resources.

Here's my full rule set

pa rules2.jpg

Even when I explicitly put my user name in the Staff_Allow rule, the rule below it continues to override it.

L5 Sessionator

Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS1 traffic will be authenticated, as specified bythe captive portal rulebase.Attached Tech-Note explains configuration.

PA uses top-down first-match (like most FW's do nowadays) which gives that your "Alerting" rule will never be hit since its shadowed by "Block URL for everyone".

Could you paste the output you get from the commit-window when you commits?

There should be warnings about the shadowing I mentioned above aswell as lack of dependencies (which what I guess is why your user never hits that allow rule).

To test if your userid is correct you could as a test (if possible) set application to "any" to verify that its application related and not userid related.

By the way - your service-column should NEVER be set to any (in my opinion) - you should use "application-default" OR set this manually (like TCP80, TCP443 if you only want browsing to occur on these ports).

L4 Transporter

Do you see any activity on that rule in the Traffic Logs on the Monitor page?

Try this from the command line…

test security-policy-match application facebook-base source-user 'staff username here' source x.x.x.x destination y.y.y.y destination-port XX protocol 6

From: rangiruru <live@paloaltonetworks.com<mailto:live@paloaltonetworks.com>>

Reply-To: live <live@paloaltonetworks.com<mailto:live@paloaltonetworks.com>>

To: Brad Spilde <brad.spilde@daktronics.com<mailto:brad.spilde@daktronics.com>>

Subject: Rule syntax/ordering question

We've just installed a PA-2050 in our school and I'm trying to get it configured with some basic rules but I'm not quite sure I have the syntax or ordering of my rules right to achieve the outcome I want.

The simple side of things that I want to do is allow access to Facebook to members of the Active Directory group Staff Users while denying access to everyone else.

Here are the two rules that are causing me issues

Image:pa rules.jpg (https://live.paloaltonetworks.com/servlet/JiveServlet/showImage/3027/pa+rules.jpg)

A complicating factor here is that a large number of my students who I'm trying to block here are using their own devices on the wireless and as yet I am unable to identify their AD username which is why I have an "any" in the user field of the deny rule.

Any suggestions as to how I can structure my rules to get this outcome.

The next step will be allowing Facebook and Tumblr to those same blocked users on a schedule but for now, I'm happy with just blocking them outright.

  • 3350 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!