Just implemented a 3020 and have many Engineers looking to download EXE, ZIPs and ftp to sites all over the place. I am looking to allow them to use these services to certain URLs only. i have tried to create a custom URL list and File Transfer group but the problem i am having is created a rule that allows access to certain sites but not allowing too much. trying to make it as strict as possible. i would like my other security policies to be the default and to be in effect for them if they are not going to certain URLs stated above. anyone have any suggestions? anyone done this before?
Policy 1:- Strict with all the url restrictions.
Policy 2 below policy 1:- default one with urls that are not stated above.
i am fairly new Palo Alto but if the users are blocked by the Strict URL restrictions above in the policy #1 then how would the traffic get to Policy #2?
i have a security policy in place that blocks all FTP, EXE, zip files amongst other things
using the File Blocking Profile. i need certain users to bypass this 'file blocking' when they are tyring to hit certain URL's. I thought there should be a way to put a rule ahead of this that would state if you are trying to hit a certain URL (By name) and you are trying to download or upload EXE, ZIP types of files then it would be okay. kind of like a whitelist. the SOURCE and DESTINATION only allow for IP/IPranges. the Service/URL category lets me choose my custom URL list but it wont take effect as it is not meant for that i have been told. so it would have to be a special policy that allows those certain URLs, but not all URLs for those certain file types.
If you are pulling AD groups via LDAP into the firewall, you can setup the following:
Source user : specific user-group/users that can download from some URL's
Source IP: ANY. If there are no AD groups being pulled, specific source IP's of clients need to be specified.
URL category : ANY
Profiles: Reference the URL filtering profile with the custom category containing the URL's that can be accessed.
Strict with all restrictions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!