This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Block URLs with exceptions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block URLs with exceptions

itserviceHEWA
L1 Bithead

‎03-25-2024 01:51 AM

Hello everyone,


my name is Phil and I am in charge of the network structure in a municipal utility with 2 other people. We have 2 PA-3220s with software version 11.0.2-h2 and several PA-400s in use.

We are faced with the following problem:
We want to block the entire Internet for one user (Active Directory is connected to Palo Alto), except for 2 domains
- https://www.wetter.com/
- https://www.radio.de/
We were able to help ourselves with the following KB entry:
https://live.paloaltonetworks.com/t5/general-topics/how-do-i-block-all-url-traffic-but-a-select-few/...
This works so far, all websites are blocked except these two. However, we are faced with the following problem: the URLs use embedded links that point to a wide variety of pages, but these are of course blocked by the firewall.
Now to the question, do I have the possibility to unblock everything that is embedded on the original page without entering all links manually?
The required links change and would have to be checked again and again, which would not be profitable in this case.

Perhaps someone has already faced this problem and has an idea?

 

Best regards

Phil

0 Likes Likes
2 REPLIES 2

Adrian_Jensen
L6 Presenter

‎03-25-2024 12:08 PM

I am not aware of any option in the PA that will allow you to automatically except URLs/FQDNs within an allowed website, but keep those blocked when referenced from outside the website.

 

With the way many current websites include resources from all different sources, allowing to very restricted web access that fully loads can be difficult. You often have to allow broader access to CDN/scripting domains to get things to fully render. Not really shown in the article you referenced, you can use regex filters (limited syntax) in your URL Categories for filtering/matching.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM79CAE

 

Also important to remember order of precedence in URL filtering: block before allow, custom before built-in. So anything blocked in a custom regex will still be blocked, even when there is a more specific allow rule.

https://live.paloaltonetworks.com/t5/general-topics/understanding-url-filtering-order-url-filtering-...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC

 

0 Likes Likes

itserviceHEWA
L1 Bithead

‎03-27-2024 11:18 PM

Thank you for your detailed post and the corresponding link.

 

We wonder how other companies solve this, or whether this situation is outdated in times of smartphones and unlimited data volume 😉

0 Likes Likes
  • 1219 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks