02-16-2012 01:17 AM
We have a security rule:
Src Zone: Internal
Src User: Any
Dest Zone: Any
Dest Add: Any
Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)
Action: Deny
It works as expected, however some users need to view some business video now. Is there any option to configure 'override' as action in security?
I found 'override' action can be selected in URL Filtering profile, here is part of admin guide:
Override - Allow the user to access the blocked page after entering a password. The password and other override settings are specified in the URL Admin Override area of the Settings page.
If override is not available, any option to allow users to watch video based on Frequency? Let say 3 hours per day?
02-16-2012 06:31 AM
Hi...Override & Continue actions are URL filtering actions as you have found and they are not available under the security rule's action. We do not classify recreational vs.business video apps, but web sites are classified by URL filtering categories. Hence, we can choose URL categories to override/continue.
A suggestion is to control which URL categories users/groups are allowed/denied. If they are given access to business web sites, they can access business videos from those sites. Then apply override/continue actions to streaming-media category and apply a QoS policy to control the bandwidth for streaming media.
Also, there is the option to specify time-of-day where the policy is enforced under security rule. You can block youtube, netflix from 8am-5pm while allowing them after hours.
Thanks.
02-16-2012 09:18 AM
rmonvon, thank you for your advice.
URL filtering is not a perfect solution for our case. Because the "business" videos are uploaded to youtube by vendors, e.g. http://www.youtube.com/watch?v=TTTbzbiBFfM&list=PL77D49394B6A8FD31&feature=plcp&context=C38c0451FDOE...
02-16-2012 09:37 AM
As far as I know, youtube only classifies materials that are inappropriate for childrens. It does not classify contents as business, health-medicine, etc to filter on.
02-16-2012 01:07 PM
Can you specify somehow who these users are?
Like by srcip or by srcuser (AD integration)?
Since PAN is top-down first-match you could add a rule similar to following just before your current rule to take care of the users who should be able to view online videos:
Src Zone: Internal
Src User: USER_Video_Allowed
Dest Zone: Any
Dest Add: Any
Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)
Action: Allow
02-16-2012 06:06 PM
Yes, we can configure the rule by user or group, however it may not be a good idea to allow some users to override our company policy. We want the users can override some blocked applications when needed but at the same time system can log this action or admin can be alerted. I think it is more flexible.
I know many other brands FW with application control on the market can configure security rule as 'override' or 'alert'. If at the moment this option is not available on PAN device, I suggest adding this feature in the future release.
02-16-2012 07:37 PM
Both continue and block is available in PAN since years.
Just add the custom rule as I described but use a custom security profile where you define that the url category (or all categories for that matter) will result in a continue. This way you will decide through appid which apps should get the continuepage.
You can also select a url profile straigth away from the security rule view but I prefer to bundle stuff into security profiles but thats just a matter of taste.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
