URL allow list for some of the subdomains

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL allow list for some of the subdomains

L1 Bithead

Hi all

 

I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow list section in PAN-OS 10.x, so anyone know how to configure the URL filtering profile to allow some subdomains (say companyA.sharepoint.com and companyA-myfiles.sharepoint.com) but not other sharepoint domain (*.sharepoint.com)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTDCA0

 

Best regards

 

Alex Tsang

8 REPLIES 8

L4 Transporter

@alextsa There is no specific allow/block lists as such. You create a custom URL categories in "Objects  > Custom Objects > URL Category". One for the custom URLs you like to block and one for allow. Then under your URL filtering profile, you assigned the required actions - block and alert respectively.

Note that block takes precedence over allow though, so a generic block *.sharepoint.com/ filter will block the company Sharepoint even though acme.sharepoint.com/ is in an allow URL category. 

@batd2  Thanks, and I have tried to create two custom category - one is *.sharepoint.com and one contain companyA.sharepoint.com and companyA-myfiles.sharepoint.com, then added them to a URL filtering profile with block action for *.sharepoint.com and allow for companyA.sharepoint.com. But the result is all subdomain belongs to sharepoint.com are block even companyA one.

 

Best regards

Which PANOS are you running? As said above, generic block takes precedence over specific allow. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC .

 

The advise was to put your generic block in a block URL category, then in Objects -> Security Profiles -> URL Filtering add an allow in the Override tab for the specific URL. I recently upgraded from 8.1.x to a 9.1.x release and that entire tab seems to have disappeared... So I'm not quite sure how you would allow a more specific now...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!