URL Filtering by group if user lives in multiple groups

Reply
Highlighted
Not applicable

URL Filtering by group if user lives in multiple groups

Does anyone know of an elegant way to handle the following:

We'd like to use Active Directory groups to be able to allow some users access to certain URL categories that we block for most users. We have a default URL filtering profile that is the most restrictive and then we want to have AD groups that we can use to open some categories to certain users as needed. My problem is with the following situation:

Let's say our default URL filtering profile blocks both Online-personal-storage and Auctions categories

Bob and John both need access to Auction sites and both will be added to an AD group 'Allow_Auctions'

Bob also needs access to Online-personal-storage sites but John does not so Bob will also be a member of an AD group 'Allow_Onlinestorage'

To add to this, Jane also needs access to Online-personal-storage sites but not Auction sites so she will be a member of 'Allow_Onlinestorage'

I might not be approaching this the best way, but since I have to set up policies for each of these URL filtering profiles (default, allow auctions, allow onlinestorage) I'm going to end up blocking Bob from the Online-personal-storage sites if he hits the Auction policy first. Is there some way to handle this situation that I'm just not thinking of?


Accepted Solutions
Highlighted
L7 Applicator

This can be handled with two rules in addition to what you already have.

Rule Setup:

Rule NameFrom ZoneTo ZoneUser (AD Group)CategoryActionURL Profile
Auction-OverrideTrustUntrustAllow_AuctionsAuctionsAllownone
Storage-OverrideTrustUntrustAllow_OnlinestorageOnline-personal-storageAllownone
DefaultTrustUntrustANYANYAllowdeny-auction-and-storage

This assumes:

  • Group "Allow_auctions" contains Bob & John
  • Group "Allow_Onlinestorage" contains Bob & Jane
  • The "deny-auction-and-storage" URL Filtering profile is denying both the Auction and the Online-personal-storage categories
  • You have already added both "Allow_Auctions" and "Allow_Onlinestorage" AD groups to the User-ID Group Mapping configuration so the firewall knows to grab those mappings

What will happen?

For Bob going to:

Ebay: Hits the first rule and is allowed

Dropbox: Misses the first rule (the category doesn't match), hits the second rule and is allowed

paloaltonetworks.com: Misses the first two rules (category doesn't match) and is allowed

John going to:

Ebay: Hits the first rule and is allowed

Dropbox: Misses the first rule (wrong category), Misses the second rule (not in that AD group), hits the third rule and is denied

paloaltonetworks.com: Misses the first 2 rules (category mismatch) and is allowed

Jane going to:
Ebay: Misses the first rule (wrong AD group), misses the second rule (wrong category), hits the third rule and is denied

Dropbox: Misses the first rule (wrong category), hits the second rule and is allowed

paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed

Anyone else:

Ebay: Misses the first rule (ad group), second rule (category mismatch), hits the third rule and is denied (category deny)

Dropbox: Misses the first rule (category mismatch), misses the second rule (wrong ad group), hits the third rule and is denied (category deny)

paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed by the third rule

Hope this helps!

Greg Wesson

View solution in original post


All Replies
Highlighted
L7 Applicator

This can be handled with two rules in addition to what you already have.

Rule Setup:

Rule NameFrom ZoneTo ZoneUser (AD Group)CategoryActionURL Profile
Auction-OverrideTrustUntrustAllow_AuctionsAuctionsAllownone
Storage-OverrideTrustUntrustAllow_OnlinestorageOnline-personal-storageAllownone
DefaultTrustUntrustANYANYAllowdeny-auction-and-storage

This assumes:

  • Group "Allow_auctions" contains Bob & John
  • Group "Allow_Onlinestorage" contains Bob & Jane
  • The "deny-auction-and-storage" URL Filtering profile is denying both the Auction and the Online-personal-storage categories
  • You have already added both "Allow_Auctions" and "Allow_Onlinestorage" AD groups to the User-ID Group Mapping configuration so the firewall knows to grab those mappings

What will happen?

For Bob going to:

Ebay: Hits the first rule and is allowed

Dropbox: Misses the first rule (the category doesn't match), hits the second rule and is allowed

paloaltonetworks.com: Misses the first two rules (category doesn't match) and is allowed

John going to:

Ebay: Hits the first rule and is allowed

Dropbox: Misses the first rule (wrong category), Misses the second rule (not in that AD group), hits the third rule and is denied

paloaltonetworks.com: Misses the first 2 rules (category mismatch) and is allowed

Jane going to:
Ebay: Misses the first rule (wrong AD group), misses the second rule (wrong category), hits the third rule and is denied

Dropbox: Misses the first rule (wrong category), hits the second rule and is allowed

paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed

Anyone else:

Ebay: Misses the first rule (ad group), second rule (category mismatch), hits the third rule and is denied (category deny)

Dropbox: Misses the first rule (category mismatch), misses the second rule (wrong ad group), hits the third rule and is denied (category deny)

paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed by the third rule

Hope this helps!

Greg Wesson

View solution in original post

Highlighted
L6 Presenter

Any particular reason you choose to use the category in security rule instead of setting up an allow-auction and allow-storage url-profile?

Or for that matter... shouldnt the first two rules have an url profile where all categories are set to "alert" to get logging? Or is this automagically handled when you use the category column in security rule?

Highlighted
Not applicable

Thanks! I was so stuck on the filtering profiles I forgot you can use these categories singularly in a rule. I'm going to give this a go. I think it will work great (when it does, I'll mark you up to Correct Answer as well)!

Highlighted
Not applicable

The problem I ran into using the URL profiles is that you can't really just have a profile with one category (or that I could find, maybe I didn't look hard enough at them). So you can allow, say, Auctions but then you have to do something with the Online Personal Storage category and if it's blocked, that will block the user (since the user already matched on the AD group). So Bob would end up being blocked for at least one of the categories that he needs to be allowed for. The logging is an interesting point, though, that I will need to verify or work on to make sure it happens.

Highlighted
L7 Applicator

You probably would want a profile that was created as an Alert action for Online-personal-storage and Auctions, because those two rules won't generate a URL log. I missed that when doing my quick mock-up.

You could also feasibly create a URL filter profile that alerts on one category (say, Auctions) but denies the "bad" categories and alerts on the "good" categories. I think it would end up being more difficult to manage than the one-off rules if you had a lot of exceptions for different users.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!