02-22-2022 06:48 AM
I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow list section in PAN-OS 10.x, so anyone know how to configure the URL filtering profile to allow some subdomains (say companyA.sharepoint.com and companyA-myfiles.sharepoint.com) but not other sharepoint domain (*.sharepoint.com)
02-22-2022 07:44 AM
@alextsa There is no specific allow/block lists as such. You create a custom URL categories in "Objects > Custom Objects > URL Category". One for the custom URLs you like to block and one for allow. Then under your URL filtering profile, you assigned the required actions - block and alert respectively.
02-22-2022 07:56 AM
Note that block takes precedence over allow though, so a generic block *.sharepoint.com/ filter will block the company Sharepoint even though acme.sharepoint.com/ is in an allow URL category.
02-22-2022 08:04 AM
@batd2 Thanks, and I have tried to create two custom category - one is *.sharepoint.com and one contain companyA.sharepoint.com and companyA-myfiles.sharepoint.com, then added them to a URL filtering profile with block action for *.sharepoint.com and allow for companyA.sharepoint.com. But the result is all subdomain belongs to sharepoint.com are block even companyA one.
02-22-2022 08:26 AM
Which PANOS are you running? As said above, generic block takes precedence over specific allow. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC .
The advise was to put your generic block in a block URL category, then in Objects -> Security Profiles -> URL Filtering add an allow in the Override tab for the specific URL. I recently upgraded from 8.1.x to a 9.1.x release and that entire tab seems to have disappeared... So I'm not quite sure how you would allow a more specific now...
02-22-2022 08:38 AM
I am using 10.0
02-22-2022 09:10 AM
Hi @alextsa ,
Have you look at "HTTP Header Insertion" feature - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/http-header-insertion it might help you to achive that you want. However it requires SSL decryption in order for the firewall to inspect HTTP headers
More simple solution would be to use custom URL categories
- Create URL custom category listing all sharepoints you want to allow
- Use this URL category as matching criteria for allow rule (service/url tab in the gui)
- Set URL profile profile for that rule that does not has any URL custom category (action set to none)
- Create URL custom category listing any other sharepoint that you want to block (including wildcard)
- Create URL filtering profile and set action to block for the above custom category
- Use this URL filtering profile in any other rule that is allowing generic internet access - that should be below the specific rule you create for allowing access to specific sharepoint
I would recommend to define the allow rule to be more specific by configuring destination addresses (you can get from internet ip range that MS is using for sharepoint)
02-22-2022 09:30 AM
Tried HTTP Header Insertion and O365 Consumer and Enterprise Access App-ID, it can help when the O365/sharepoint/onedrive that need to go thru login process. But it cannot control when the user get a sharepoint/onedrive link that don't need login, so we need to control in the URL side to distinguish it is company's tenant or not.
02-22-2022 03:39 PM
So this is extremely frustrating as it looks like PA has completely removed URL filtering overrides. In particular for me as I had multiple specific overrides which are now gone... I found a PA KB article on it here, but the resolution is completely wrong, as you have found out.
It seems like the only way to do it now would be create a Custom Object -> URL Category for the specific allow rule, create a Security policy allowing internet access and add that URL Category as a parameter in the Service/URL Category tab. Then create another Internet access rule with your general URL filtering setup that has the overall block. That is just a completely broken way to do it... I would open a support ticket and complain.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!