08-17-2011 01:39 PM
I need some help. I am very new to using firewalls and am not scheduled to go to class for Palo Alto until the first week of September. In the mean time I am trying to block a group of users from accessing the internet other than about 10 sites. I have tried everything I know how to do and even stuff I am just trying to figure out to do and I get it to block all sites but not let the ones through I need it to let through. I would appreciate any help anyone can give.
08-17-2011 03:57 PM
Are you using active directory? or will you be blocking users by IP? (this will come in handy later)
First, I would recommend upgrading to 3.1.9, since there are some bugs that I encountered in 3.1.6 and 3.1.8 with URL filtering. There are some guides on the support site that make the upgrade pretty painless.
Before you start writing the rules, go to Objects -> Security Profiles -> URL Filtering rules.
Create a new URL filtering profile.
After you give the url filtering profile a name and description, check the dynamic URL filtering box.
Near the bottomf of the window, you will a box called "allow List". Enter the 10 URL that you wish to allow.
Now, on the right you will see all the different categories. Go to the very top and find the option "Set for all categories". Under the column "action" set it to block. This means that all the websites in all the categories will be blocked by the PAN.
Then click ok.
You have a new URL filtering profile that blocks all categories but allows the 10 URL that you have in your whitelist.
All you have to do is add this URL Filtering profile to a rule. On the far right of the rule, you will see a column lableled "profile". Click on the word "none" and select the url filerting profile that you created.
Now go ahead and test.
One last personnal recommendation. It's usually better to write the most specific / constrictive rules ahead of the more general / less restrictive rules.
Make sure that your blocking rule is ahead of your general web browsing rule that you have set for the remaining users.
Also, are you getting you training at Trace3? I'm sending one of my SE there too for training. Those are good folks there. Ask lots of questions.
08-17-2011 03:57 PM
Are you using active directory? or will you be blocking users by IP? (this will come in handy later)
First, I would recommend upgrading to 3.1.9, since there are some bugs that I encountered in 3.1.6 and 3.1.8 with URL filtering. There are some guides on the support site that make the upgrade pretty painless.
Before you start writing the rules, go to Objects -> Security Profiles -> URL Filtering rules.
Create a new URL filtering profile.
After you give the url filtering profile a name and description, check the dynamic URL filtering box.
Near the bottomf of the window, you will a box called "allow List". Enter the 10 URL that you wish to allow.
Now, on the right you will see all the different categories. Go to the very top and find the option "Set for all categories". Under the column "action" set it to block. This means that all the websites in all the categories will be blocked by the PAN.
Then click ok.
You have a new URL filtering profile that blocks all categories but allows the 10 URL that you have in your whitelist.
All you have to do is add this URL Filtering profile to a rule. On the far right of the rule, you will see a column lableled "profile". Click on the word "none" and select the url filerting profile that you created.
Now go ahead and test.
One last personnal recommendation. It's usually better to write the most specific / constrictive rules ahead of the more general / less restrictive rules.
Make sure that your blocking rule is ahead of your general web browsing rule that you have set for the remaining users.
Also, are you getting you training at Trace3? I'm sending one of my SE there too for training. Those are good folks there. Ask lots of questions.
08-22-2011 06:50 AM
I appreciate the help. I will try this now but I have another question to go with it. I am blocking using a special AD group just for this rule. As far as upgrading to 3.1.9 I am going to training on the 4.0 in 2 weeks and then we will be upgrading to that so moving to 3.1.9 at this point would be a waste. On the rule I am making do I make it a block or allow rule? I am assuming block but I just want to make sure.
Yes I am going to Trace3 for my training.
08-22-2011 07:13 AM
Hi,
in every rule you want associate a Security Profile to (aka Content Inspection - AV, AS, URL, DLP, File Blocking) you MUST use the ALLOW action. If you put DENY traffic will not be inspected by Content-ID.
😉
08-22-2011 07:58 AM
Thank you for the response. I got it working thanks to the help from you guys. I had done everything right originally other than the part about checking the dynamic URL box. What exactly does that do for it?
I have it working but there is a problem with the news sites. CNN, MSNBC, MSN, and Fox news sites all come through but only parts of the site. Pictures do not come through and the site in general is just not right. What could be causing this and is there anything I can do to get it corrected?
08-22-2011 08:48 AM
The only thing you can do is looking at your URL Logs for supect "block-url" actions.
Many times a web page has links that points to other websites wich are probably blocked by your Profile.
If you want to make an exception for CNN and other sites I suggest you to insert something like that for all sites you want in the Allow List:
*.cnn.com
For example enablig Facebook only with Allow List would be tricky, because Facebook calls many different domain such as: fcbn.com etc.
So, you would need to have a list of all domain called...
Hope this helps.
p.s Remember, your logs always say you the truth! 🙂
08-22-2011 04:29 PM
Hi Jeff,
The option for Dynamic URL filtering allows the device to query the BrightCloud server when a URL is not found on-device. Essentially, what this does is allows you to have access to the master database and not be limited to the entries on your device.
In regards to certain parts of cnn.com, msnbc.com, msn.com, etc getting blocked, please check your URL filtering logs for a better explanation. As mentioned in a previous post, sites often pull content from other sites which are often categorized as web-advertisements, content-delivery, etc, which depending on your URL filtering profile, could be blocked. Check your URL filtering logs to see what these category these were and then check your URL filtering profile to confirm.
Hope this helps,
Doris
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
