For details on cookie usage on our site, read our Privacy Policy
URL allow list for some of the subdomains
- LIVEcommunity
- Discussions
- General Topics
- Re: URL allow list for some of the subdomains
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
URL allow list for some of the subdomains
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-22-2022 06:48 AM
Hi all
I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow list section in PAN-OS 10.x, so anyone know how to configure the URL filtering profile to allow some subdomains (say companyA.sharepoint.com and companyA-myfiles.sharepoint.com) but not other sharepoint domain (*.sharepoint.com)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTDCA0
Best regards
Alex Tsang
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-22-2022 07:44 AM
@alextsa There is no specific allow/block lists as such. You create a custom URL categories in "Objects > Custom Objects > URL Category". One for the custom URLs you like to block and one for allow. Then under your URL filtering profile, you assigned the required actions - block and alert respectively.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-22-2022 07:56 AM
Note that block takes precedence over allow though, so a generic block *.sharepoint.com/ filter will block the company Sharepoint even though acme.sharepoint.com/ is in an allow URL category.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-22-2022 08:04 AM
@batd2 Thanks, and I have tried to create two custom category - one is *.sharepoint.com and one contain companyA.sharepoint.com and companyA-myfiles.sharepoint.com, then added them to a URL filtering profile with block action for *.sharepoint.com and allow for companyA.sharepoint.com. But the result is all subdomain belongs to sharepoint.com are block even companyA one.
Best regards
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-22-2022 08:26 AM
Which PANOS are you running? As said above, generic block takes precedence over specific allow. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC .
The advise was to put your generic block in a block URL category, then in Objects -> Security Profiles -> URL Filtering add an allow in the Override tab for the specific URL. I recently upgraded from 8.1.x to a 9.1.x release and that entire tab seems to have disappeared... So I'm not quite sure how you would allow a more specific now...
- What expression to use to block/permit an entire website? in General Topics
- URL allow list for some of the subdomains in General Topics
- Custom URL Categories - ending tokens in General Topics
- Vulnerability - HSTS header does not contain includeSubDomains in Threat & Vulnerability Discussions
- GPVPN Split tunnel issue in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
