01-26-2011 01:23 PM
So I have a need to block almost all internet access for a certain group of folks. They are in a warehouse and only need access to a few websites (time clock, shipping sites, etc) related to their jobs.
How I'm doing this currently is to use a Active Directory policy and forcing a non-existant proxy server and then using the exceptions list to allow access to those few sites. I'd like to look at using the Palo Alto box for this instead of the AD policy.
My first attempt was to create URL filtering profile that blocked all catagories and then use the "allow list sites" area to give them access to those sites. I then tied that profile to a policy that get's applied to an Active Directory group. It seems kind of hit or miss so far, some of the catagories get blocked some don't (ESPN.com is one). Am I doing this right?
01-27-2011 01:26 AM
Hi,
I have tried to duplicate your problem (PAN-OS 3.1.7) but I could not. espn.com got blocked with an URL Filtering profile where all categories set to block and a few entries in the allow list.
rgds
Roland
01-27-2011 11:43 AM
It's still kind of hit and miss, we're running 3.1.4 code (and from the post I've seen in the forums I may wait for the 3.1.8 code 
) but I think part of it is the fact that these folks are on a Citrix / TS server that does not have the agent installed (the servers are x64 and there isn't an x64 agent out yet).
Since I'm using a policy to apply this URL Profile to an Active Directory group I'm wondering if that doesn't have something to do with it's effectiveness.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
