04-30-2013 10:51 AM
Just implemented a 3020 and have many Engineers looking to download EXE, ZIPs and ftp to sites all over the place. I am looking to allow them to use these services to certain URLs only. i have tried to create a custom URL list and File Transfer group but the problem i am having is created a rule that allows access to certain sites but not allowing too much. trying to make it as strict as possible. i would like my other security policies to be the default and to be in effect for them if they are not going to certain URLs stated above. anyone have any suggestions? anyone done this before?
04-30-2013 11:30 AM
Policy 1:- Strict with all the url restrictions.
Policy 2 below policy 1:- default one with urls that are not stated above.
04-30-2013 12:20 PM
i am fairly new Palo Alto but if the users are blocked by the Strict URL restrictions above in the policy #1 then how would the traffic get to Policy #2?
04-30-2013 12:25 PM
Can you give us an example of what you are trying to achieve that will give me a fair idea.
04-30-2013 12:44 PM
i have a security policy in place that blocks all FTP, EXE, zip files amongst other things
using the File Blocking Profile. i need certain users to bypass this 'file blocking' when they are tyring to hit certain URL's. I thought there should be a way to put a rule ahead of this that would state if you are trying to hit a certain URL (By name) and you are trying to download or upload EXE, ZIP types of files then it would be okay. kind of like a whitelist. the SOURCE and DESTINATION only allow for IP/IPranges. the Service/URL category lets me choose my custom URL list but it wont take effect as it is not meant for that i have been told. so it would have to be a special policy that allows those certain URLs, but not all URLs for those certain file types.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!