10-27-2017 10:56 AM
This should be relatively easy to do, as you would just create an additional policy specifically for that source with it's own custom URL Fitlering profile. What exactly are you trying to accomplish, and where are you running into issues if you've tried it already?
10-27-2017 11:19 AM - edited 10-27-2017 11:23 AM
I guess what I was wondering is if I just made a policy for source network > any > any and applied that very specific URL filter would it stop processing the policies after that one for hosts within that specific source network?
10-27-2017 11:28 AM
PA analyses security policies from top to bottom until it finds one that matches that session, once it finds a matching security policy that is the one it's going to utilize.
Not knowing how secure you are trying to make things or anything like that, I would say lock it down to whatever it is you want it to stop. If you create a URL filtering profile that includes a custom category such as 'Streaming Media' that you've created so that Netflix, Hulu, Sling and the like are all blocked at a URL level with a block action; it's likely that you don't really care what application or what service the traffic is using, you simply want to block all traffic. In that situation you'd probably be fine leaving application and service as 'any', as there really wouldn't be any other reason to communicate with those URLs.
10-27-2017 11:32 AM - edited 10-27-2017 11:32 AM
In this case I want to allow users on a certain subnet to access already blocked websites (IE no filtering whatsoever), so I assume this poicy would need to be at the top of the list? IE before all the policies that enforce URL filtering?
10-27-2017 11:35 AM
The policy would need to be placed before the rule that doesn't allow the user to access these websites. You can find this information by looking at the logs on the firewall, once you've verified what rule is actually blocking the traffic simply place the new rule above that one.
If you constantly find yourself putting things at the top of your security policies you're going to run into a situation where you'll start breaking things; it's best to identify the correct place for the policy and question and put the policy exactly where it needs to be at the beginning.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
