This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Security policy rule to allow users to download from certain URL's?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security policy rule to allow users to download from certain URL's?

gkauno
L1 Bithead

‎04-30-2013 10:51 AM

Just implemented a 3020 and have many Engineers looking to download EXE, ZIPs and ftp to sites all over the place.  I am looking to allow them to use these services to certain URLs only.  i have tried to create a custom URL list and File Transfer group but the problem i am having is created a rule that allows access to certain sites but not allowing too much.  trying to make it as strict as possible.  i would like my other security policies to be the default and to be in effect for them if they are not going to certain URLs stated above.  anyone have any suggestions?  anyone done this before?

Labels:
0 Likes Likes
5 REPLIES 5

sraghunandan
L5 Sessionator

‎04-30-2013 11:30 AM

Policy 1:- Strict with all the url restrictions.

Policy 2 below policy 1:- default one with urls that are not stated above.

0 Likes Likes

gkauno
L1 Bithead
In response to sraghunandan

‎04-30-2013 12:20 PM

i am fairly new Palo Alto but if the users are blocked by the Strict URL restrictions above in the policy #1 then how would the traffic get to Policy #2?

0 Likes Likes

sraghunandan
L5 Sessionator
In response to gkauno

‎04-30-2013 12:25 PM

Can you give us an example of what you are trying to achieve that will give me a fair idea.

0 Likes Likes

gkauno
L1 Bithead
In response to sraghunandan

‎04-30-2013 12:44 PM

i have a security policy in place that blocks all FTP, EXE, zip files amongst other things
using the File Blocking Profile.  i need certain users to bypass this 'file blocking' when they are tyring to hit certain URL's.  I thought there should be a way to put a rule ahead of this that would state if you are trying to hit a certain URL (By name) and you are trying to download or upload EXE, ZIP types of files then it would be okay.  kind of like a whitelist.  the SOURCE and DESTINATION only allow for IP/IPranges.  the Service/URL category lets me choose my custom URL list but it wont take effect as it is not meant for that i have been told.  so it would have to be a special policy that allows those certain URLs, but not all URLs for those certain file types.

0 Likes Likes

mvenkatesan
L2 Linker
In response to gkauno

‎04-30-2013 10:54 PM

If you are pulling AD groups via LDAP into the firewall, you can setup the following:

Policy 1:

Source user : specific user-group/users that can download from some URL's

Source IP: ANY. If there are no AD groups being pulled, specific source IP's of clients need to be specified.

URL category : ANY

Profiles: Reference the URL filtering profile with the custom category containing the URL's that can be accessed.

Policy 2:

Strict with all restrictions.

  • 3669 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks