Security Policy Best Practice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Policy Best Practice

L2 Linker

Hello all,

I've read multiple documents from PA and read some on the forums here, but cannot find anything definitive on this.

 

What I'm trying to find out is what is the best practice/most effective way to configure a Security Policy for filtering. I understand there are several ways to do this, but I've found that the way I've been doing it doesn't always seem to work the best. Are there any issues with the following config?

 

Create a Security Policy and set the Action to Allow. Set a URL Filtering Profile. Create a Custom URL Category for Allowed URLs. Create a Custom URL Category for Denied URLs. Apply these Custom URL Categories inside the URL Filtering Profile. Set other categories to Deny within the URL Filtering Profile.

 

If I were to set the Action for a Security Policy to Deny, does that Deny all traffic that matches?

 

Any advice will be very helpful. Thanks.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally

 

A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles

Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users

 

 

There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy

This works as a sort of ip-lookup and only allow/deny traffic  for the "ips" that match the urls in your custom category

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally

 

A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles

Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users

 

 

There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy

This works as a sort of ip-lookup and only allow/deny traffic  for the "ips" that match the urls in your custom category

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for great explanation.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2606 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!