Security policy rule to allow users to download from certain URL's?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security policy rule to allow users to download from certain URL's?

L1 Bithead

Just implemented a 3020 and have many Engineers looking to download EXE, ZIPs and ftp to sites all over the place.  I am looking to allow them to use these services to certain URLs only.  i have tried to create a custom URL list and File Transfer group but the problem i am having is created a rule that allows access to certain sites but not allowing too much.  trying to make it as strict as possible.  i would like my other security policies to be the default and to be in effect for them if they are not going to certain URLs stated above.  anyone have any suggestions?  anyone done this before?


L5 Sessionator

Policy 1:- Strict with all the url restrictions.

Policy 2 below policy 1:- default one with urls that are not stated above.

i am fairly new Palo Alto but if the users are blocked by the Strict URL restrictions above in the policy #1 then how would the traffic get to Policy #2?

Can you give us an example of what you are trying to achieve that will give me a fair idea.

i have a security policy in place that blocks all FTP, EXE, zip files amongst other things
using the File Blocking Profile.  i need certain users to bypass this 'file blocking' when they are tyring to hit certain URL's.  I thought there should be a way to put a rule ahead of this that would state if you are trying to hit a certain URL (By name) and you are trying to download or upload EXE, ZIP types of files then it would be okay.  kind of like a whitelist.  the SOURCE and DESTINATION only allow for IP/IPranges.  the Service/URL category lets me choose my custom URL list but it wont take effect as it is not meant for that i have been told.  so it would have to be a special policy that allows those certain URLs, but not all URLs for those certain file types.

If you are pulling AD groups via LDAP into the firewall, you can setup the following:

Policy 1:

Source user : specific user-group/users that can download from some URL's

Source IP: ANY. If there are no AD groups being pulled, specific source IP's of clients need to be specified.

URL category : ANY

Profiles: Reference the URL filtering profile with the custom category containing the URL's that can be accessed.

Policy 2:

Strict with all restrictions.

  • 5 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!