11-26-2012 03:19 PM
Does anyone know of an elegant way to handle the following:
We'd like to use Active Directory groups to be able to allow some users access to certain URL categories that we block for most users. We have a default URL filtering profile that is the most restrictive and then we want to have AD groups that we can use to open some categories to certain users as needed. My problem is with the following situation:
Let's say our default URL filtering profile blocks both Online-personal-storage and Auctions categories
Bob and John both need access to Auction sites and both will be added to an AD group 'Allow_Auctions'
Bob also needs access to Online-personal-storage sites but John does not so Bob will also be a member of an AD group 'Allow_Onlinestorage'
To add to this, Jane also needs access to Online-personal-storage sites but not Auction sites so she will be a member of 'Allow_Onlinestorage'
I might not be approaching this the best way, but since I have to set up policies for each of these URL filtering profiles (default, allow auctions, allow onlinestorage) I'm going to end up blocking Bob from the Online-personal-storage sites if he hits the Auction policy first. Is there some way to handle this situation that I'm just not thinking of?
11-26-2012 04:36 PM
This can be handled with two rules in addition to what you already have.
Rule Setup:
| Rule Name | From Zone | To Zone | User (AD Group) | Category | Action | URL Profile |
|---|---|---|---|---|---|---|
| Auction-Override | Trust | Untrust | Allow_Auctions | Auctions | Allow | none |
| Storage-Override | Trust | Untrust | Allow_Onlinestorage | Online-personal-storage | Allow | none |
| Default | Trust | Untrust | ANY | ANY | Allow | deny-auction-and-storage |
This assumes:
What will happen?
For Bob going to:
Ebay: Hits the first rule and is allowed
Dropbox: Misses the first rule (the category doesn't match), hits the second rule and is allowed
paloaltonetworks.com: Misses the first two rules (category doesn't match) and is allowed
John going to:
Ebay: Hits the first rule and is allowed
Dropbox: Misses the first rule (wrong category), Misses the second rule (not in that AD group), hits the third rule and is denied
paloaltonetworks.com: Misses the first 2 rules (category mismatch) and is allowed
Jane going to:
Ebay: Misses the first rule (wrong AD group), misses the second rule (wrong category), hits the third rule and is denied
Dropbox: Misses the first rule (wrong category), hits the second rule and is allowed
paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed
Anyone else:
Ebay: Misses the first rule (ad group), second rule (category mismatch), hits the third rule and is denied (category deny)
Dropbox: Misses the first rule (category mismatch), misses the second rule (wrong ad group), hits the third rule and is denied (category deny)
paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed by the third rule
Hope this helps!
Greg Wesson
11-26-2012 04:36 PM
This can be handled with two rules in addition to what you already have.
Rule Setup:
| Rule Name | From Zone | To Zone | User (AD Group) | Category | Action | URL Profile |
|---|---|---|---|---|---|---|
| Auction-Override | Trust | Untrust | Allow_Auctions | Auctions | Allow | none |
| Storage-Override | Trust | Untrust | Allow_Onlinestorage | Online-personal-storage | Allow | none |
| Default | Trust | Untrust | ANY | ANY | Allow | deny-auction-and-storage |
This assumes:
What will happen?
For Bob going to:
Ebay: Hits the first rule and is allowed
Dropbox: Misses the first rule (the category doesn't match), hits the second rule and is allowed
paloaltonetworks.com: Misses the first two rules (category doesn't match) and is allowed
John going to:
Ebay: Hits the first rule and is allowed
Dropbox: Misses the first rule (wrong category), Misses the second rule (not in that AD group), hits the third rule and is denied
paloaltonetworks.com: Misses the first 2 rules (category mismatch) and is allowed
Jane going to:
Ebay: Misses the first rule (wrong AD group), misses the second rule (wrong category), hits the third rule and is denied
Dropbox: Misses the first rule (wrong category), hits the second rule and is allowed
paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed
Anyone else:
Ebay: Misses the first rule (ad group), second rule (category mismatch), hits the third rule and is denied (category deny)
Dropbox: Misses the first rule (category mismatch), misses the second rule (wrong ad group), hits the third rule and is denied (category deny)
paloaltonetworks.com: Misses the first two rules (category mismatch) and is allowed by the third rule
Hope this helps!
Greg Wesson
11-27-2012 06:13 AM
Any particular reason you choose to use the category in security rule instead of setting up an allow-auction and allow-storage url-profile?
Or for that matter... shouldnt the first two rules have an url profile where all categories are set to "alert" to get logging? Or is this automagically handled when you use the category column in security rule?
11-27-2012 07:19 AM
Thanks! I was so stuck on the filtering profiles I forgot you can use these categories singularly in a rule. I'm going to give this a go. I think it will work great (when it does, I'll mark you up to Correct Answer as well)!
11-27-2012 07:22 AM
The problem I ran into using the URL profiles is that you can't really just have a profile with one category (or that I could find, maybe I didn't look hard enough at them). So you can allow, say, Auctions but then you have to do something with the Online Personal Storage category and if it's blocked, that will block the user (since the user already matched on the AD group). So Bob would end up being blocked for at least one of the categories that he needs to be allowed for. The logging is an interesting point, though, that I will need to verify or work on to make sure it happens.
11-27-2012 09:52 AM
You probably would want a profile that was created as an Alert action for Online-personal-storage and Auctions, because those two rules won't generate a URL log. I missed that when doing my quick mock-up.
You could also feasibly create a URL filter profile that alerts on one category (say, Auctions) but denies the "bad" categories and alerts on the "good" categories. I think it would end up being more difficult to manage than the one-off rules if you had a lot of exceptions for different users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
