Security Policy Action Options other than Allow/Deny

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policy Action Options other than Allow/Deny

Not applicable

We have a security rule:

Src Zone: Internal

Src User: Any

Dest Zone: Any

Dest Add: Any

Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)

Action: Deny

It works as expected, however some users need to view some business video now. Is there any option to configure 'override' as action in security?


I found 'override' action can be selected in URL Filtering profile, here is part of admin guide:

Override - Allow the user to access the blocked page after entering a password. The password and other override settings are specified in the URL Admin Override area of the Settings page.

If override is not available, any option to allow users to watch video based on Frequency? Let say 3 hours per day?

6 REPLIES 6

L6 Presenter

Hi...Override & Continue actions are URL filtering actions as you have found and they are not available under the security rule's action.  We do not classify recreational vs.business video apps, but web sites are classified by URL filtering categories.   Hence, we can choose URL categories to override/continue.

A suggestion is to control which URL categories users/groups are allowed/denied.  If they are given access to business web sites, they can access business videos from those sites.  Then apply override/continue actions to streaming-media category and apply a QoS policy to control the bandwidth for streaming media.

Also, there is the option to specify time-of-day where the policy is enforced under security rule.  You can block youtube, netflix from 8am-5pm while allowing them after hours.

Thanks.

rmonvon, thank you for your advice.

URL filtering is not a perfect solution for our case. Because the "business" videos are uploaded to youtube by vendors, e.g. http://www.youtube.com/watch?v=TTTbzbiBFfM&list=PL77D49394B6A8FD31&feature=plcp&context=C38c0451FDOE...

As far as I know, youtube only classifies materials that are inappropriate for childrens.  It does not classify contents as business, health-medicine, etc to filter on.

L6 Presenter

Can you specify somehow who these users are?

Like by srcip or by srcuser (AD integration)?

Since PAN is top-down first-match you could add a rule similar to following just before your current rule to take care of the users who should be able to view online videos:

Src Zone: Internal

Src User: USER_Video_Allowed

Dest Zone: Any

Dest Add: Any

Application: Application filter which inlucde all online videos (e.g. adobe-media-player, http-video, tvb-video, youtube-base)

Action: Allow

Yes, we can configure the rule by user or group, however it may not be a good idea to allow some users to override our company policy. We want the users can override some blocked applications when needed but at the same time system can log this action or admin can be alerted. I think it is more flexible.

I know many other brands FW with application control on the market can configure security rule as 'override' or 'alert'. If at the moment this option is not available on PAN device, I suggest adding this feature in the future release.

Both continue and block is available in PAN since years.

Just add the custom rule as I described but use a custom security profile where you define that the url category (or all categories for that matter) will result in a continue. This way you will decide through appid which apps should get the continuepage.

You can also select a url profile straigth away from the security rule view but I prefer to bundle stuff into security profiles but thats just a matter of taste.

  • 3702 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!