07-25-2023 11:17 PM
Hello everyone,
I have a requirement to adjust security policies in a way that only "white list" logic is enabled, and for one specific rule I have to allow only the low-risk category of given url category, for example training-and-tools, and not high-risk and medium-risk. However, the rule should not block the medium and high risk of training-and-tools eiher, as below there might be a policy for that allow the access. The problem is, if I write the policy and add URL categories of training and low-risk, it applies the "or" logic, which means that it will allow the high-and medium risks of training, and all the other categories matched as low-risk as well (tried in practice, works as described). And if I use URL Filtering profile and define high-risk and medium-risk action as block, it will block the category, which achieves the goal of allowing only low-risk of the website, but ignores the requirement just whitelisting, meaning if I have a policy below that allows access to that specific website, I will not hit that policy as I am being blocked from the above. What are the recommended solutions for this kind of issue? How do you usually deal with that? Any hint is appreciated, cause I am sure there should be a way that this works but I can't see it.
07-26-2023 07:22 AM
Hello Shams.G,
I invite you to check the PANCast Episode 3, you will get some element of response in it.
Hope that helps.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-26-2023 11:42 PM
Dear Ozheng,
thanks for yor reply and the article, however that is not what I was looking for. In practice I have set up and worked with both URL Filtering profiles and URL categories, but here I need to have not "or" but "and" logic, to allow only low-risk of training category. Do you have any specific advice on how can I achieve that?
07-27-2023 09:21 AM
From PANCast Episode 3 - Transcript.
”When you add either a pre-defined or custom URL category to the Service/URL category in the security policy, this is the same as adding a source IP or a service port. This is used for traffic to match that security policy. So, the same as a source IP, if the traffic does not match the URL you have specified it just continues down the security policy to find a match. The key here is the URL the client is requesting is not logged if the traffic does not even match that policy. ”
You put one category in match condition, you put the second category in a URL profile, you got your AND.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
