03-21-2019 06:31 AM - edited 03-21-2019 07:21 AM
Hello all,
I've read multiple documents from PA and read some on the forums here, but cannot find anything definitive on this.
What I'm trying to find out is what is the best practice/most effective way to configure a Security Policy for filtering. I understand there are several ways to do this, but I've found that the way I've been doing it doesn't always seem to work the best. Are there any issues with the following config?
Create a Security Policy and set the Action to Allow. Set a URL Filtering Profile. Create a Custom URL Category for Allowed URLs. Create a Custom URL Category for Denied URLs. Apply these Custom URL Categories inside the URL Filtering Profile. Set other categories to Deny within the URL Filtering Profile.
If I were to set the Action for a Security Policy to Deny, does that Deny all traffic that matches?
Any advice will be very helpful. Thanks.
03-21-2019 07:43 AM
The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally
A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles
Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users
There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy
This works as a sort of ip-lookup and only allow/deny traffic for the "ips" that match the urls in your custom category
03-21-2019 07:43 AM
The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally
A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles
Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users
There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy
This works as a sort of ip-lookup and only allow/deny traffic for the "ips" that match the urls in your custom category
03-21-2019 04:54 PM
Thanks for great explanation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
