02-22-2022 06:48 AM
I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow list section in PAN-OS 10.x, so anyone know how to configure the URL filtering profile to allow some subdomains (say companyA.sharepoint.com and companyA-myfiles.sharepoint.com) but not other sharepoint domain (*.sharepoint.com)
02-22-2022 07:44 AM
@alextsa There is no specific allow/block lists as such. You create a custom URL categories in "Objects > Custom Objects > URL Category". One for the custom URLs you like to block and one for allow. Then under your URL filtering profile, you assigned the required actions - block and alert respectively.
02-22-2022 07:56 AM
Note that block takes precedence over allow though, so a generic block *.sharepoint.com/ filter will block the company Sharepoint even though acme.sharepoint.com/ is in an allow URL category.
02-22-2022 08:04 AM
@batd2 Thanks, and I have tried to create two custom category - one is *.sharepoint.com and one contain companyA.sharepoint.com and companyA-myfiles.sharepoint.com, then added them to a URL filtering profile with block action for *.sharepoint.com and allow for companyA.sharepoint.com. But the result is all subdomain belongs to sharepoint.com are block even companyA one.
02-22-2022 08:26 AM
Which PANOS are you running? As said above, generic block takes precedence over specific allow. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC .
The advise was to put your generic block in a block URL category, then in Objects -> Security Profiles -> URL Filtering add an allow in the Override tab for the specific URL. I recently upgraded from 8.1.x to a 9.1.x release and that entire tab seems to have disappeared... So I'm not quite sure how you would allow a more specific now...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!