Create Security Policy Allowing Access to Sharefile based on User while URL filtering is blocking "Online-storage-and-Backup".

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Create Security Policy Allowing Access to Sharefile based on User while URL filtering is blocking "Online-storage-and-Backup".

L0 Member

We currently block access to Online storage using URL Filtering and make exemptions to online-storage sites like Sharefile using custom URL Category with list of URLs that we want to exempt.  However, this setup lets everyone in the company have access to Sharefile.  I am trying to figure out a way to instead of Sharefile being accessible to everyone, it will be based on the user.

 

I deleted the *.sharefile.com from my exemption list and created a security policy that allows the internal source and a list of users with Destination to any, Application "sharefile" with default application and Service/URL Category of custom category "Sharefile Domains" that contains the needed URLs for Sharefile.  I have this policy on top.  However, when I try to access, URL filter is still blocking.  

 

Thoughts?  Thanks for all the help!

1 accepted solution

Accepted Solutions

L6 Presenter

So there are a few different ways of doing this depending on how your security rules and URL filtering are setup. It sounds like you have created a URL based security rule, but have not unblocked URL filtering or added a separate category in different filters to allow. Allowing this exception also requires that you have UserID and Decryption running effectively (decryption not so much as for domain-wide you can probably get away with just SNI detection).

 

This is how we do it with allowing specific users to access Dropbox/Facebook/etc. where general users are blocked. First, you should have a custom URL Category for your target site. Be sure to add terminating "/" to prevent unintended expansion to other URLs. You may also want to have additional custom URL Categories for things to always allow/block in all cases:

Objects -> Custom Objects -> URL Category

Name = Sharefile-Allow

sharefile.com/

*.sharefile.com/

 

Your general corporate-wide URL Filtering rule should have your new custom URL Category set to "none".  Set "online-storage-and-backup" to "block":

Objects -> Security Profiles -> URL Filtering

Name = Corp-Filtering

ᐁ Custom URL Categories:

CorpAlwaysAllow = allow,allow

CorpAlwaysBlock = block,block

Sharefile-Allow = none,none

....

ᐁ Predefined Categories

...

online-storage-and-backup = block,block

...

 

Now create a new URL Filtering rule that will be for your allowed users to a specific site. Keep the online-storage-and-backup category set to "block" to block non-targeted sites. (You can do this as either a combined rule with many allowed custom URL Categories or a single allowed category, we find having individual URL Filtering rules easier when dealing with many overlapping users who have different exceptions for different sites):

Objects -> Security Profiles -> URL Filtering

name = Sharefile-Filtering

ᐁ Custom URL Categories:

CorpAlwaysAllow = allow,allow

CorpAlwaysBlock = block,block

Sharefile-Allow = allow,allow

....

ᐁ Predefined Categories

...

online-storage-and-backup = block,block

...

 

Your existing users should have a general outbound Internet rule which applies your standard URL filtering and data inspection rules. This will block all online-storage-and-backup by default:

Policies -> Security

Name = InternetAccess

SrcZone = Trust

SrcAddr = CorpIPs,VPNIPs

SrcUser = any

DstZone = Untrust

Service/URL = any

Action = Allow, URLFiltering=Corp-Filtering

 

Now create a new Security Policy for your users with a special site exception. You can do this with or without the service/URL category, however I strongly using the service/URL as this will restrict the rule to only being used when the allowed user is visiting the particular site being allowed. Otherwise the user will sometimes use the general internet rule and sometimes use the special allow rule (for non siharefile.com destinations), which can make reviewing logs a bit confusing (i.e. the special rule being used for google.com traffic as well):

Policies -> Security

Name = InternetAccess-Sharefile

SrcZone = Trust

SrcAddr = CorpIPs,VPNIPs

SrcUser = Alice,Bob,David

DstZone = Untrust

Service/URL = Sharefile-Allow

Action = Allow, URLFiltering=Sharefile-Filtering

 

Now when Alice, Bob, or David go to sharefile.com, their traffic will match the "InternetAccess-Sharefile" Security Policy and be filtered by the "Sharefile-Filtering" URL Filter, allowing the custom "Sharefile-Allow" site list. If Carol or Eve try to go to sharefile.com they will not match the user list, so they will default to the "InternetAccess" Security Policy and be filtered by "Corp-Filtering". When Alice, Bob, Carol, David, and Eve go to google.com, they again won't match the special rule URL list and will default to "InternetAccess". You can go on and add further specific Security Policies and filter rules for more sites (Facebook, Twitter, etc.) to allow individual users to specific sites, where the corporate-wide policy is to block.

View solution in original post

2 REPLIES 2

L6 Presenter

So there are a few different ways of doing this depending on how your security rules and URL filtering are setup. It sounds like you have created a URL based security rule, but have not unblocked URL filtering or added a separate category in different filters to allow. Allowing this exception also requires that you have UserID and Decryption running effectively (decryption not so much as for domain-wide you can probably get away with just SNI detection).

 

This is how we do it with allowing specific users to access Dropbox/Facebook/etc. where general users are blocked. First, you should have a custom URL Category for your target site. Be sure to add terminating "/" to prevent unintended expansion to other URLs. You may also want to have additional custom URL Categories for things to always allow/block in all cases:

Objects -> Custom Objects -> URL Category

Name = Sharefile-Allow

sharefile.com/

*.sharefile.com/

 

Your general corporate-wide URL Filtering rule should have your new custom URL Category set to "none".  Set "online-storage-and-backup" to "block":

Objects -> Security Profiles -> URL Filtering

Name = Corp-Filtering

ᐁ Custom URL Categories:

CorpAlwaysAllow = allow,allow

CorpAlwaysBlock = block,block

Sharefile-Allow = none,none

....

ᐁ Predefined Categories

...

online-storage-and-backup = block,block

...

 

Now create a new URL Filtering rule that will be for your allowed users to a specific site. Keep the online-storage-and-backup category set to "block" to block non-targeted sites. (You can do this as either a combined rule with many allowed custom URL Categories or a single allowed category, we find having individual URL Filtering rules easier when dealing with many overlapping users who have different exceptions for different sites):

Objects -> Security Profiles -> URL Filtering

name = Sharefile-Filtering

ᐁ Custom URL Categories:

CorpAlwaysAllow = allow,allow

CorpAlwaysBlock = block,block

Sharefile-Allow = allow,allow

....

ᐁ Predefined Categories

...

online-storage-and-backup = block,block

...

 

Your existing users should have a general outbound Internet rule which applies your standard URL filtering and data inspection rules. This will block all online-storage-and-backup by default:

Policies -> Security

Name = InternetAccess

SrcZone = Trust

SrcAddr = CorpIPs,VPNIPs

SrcUser = any

DstZone = Untrust

Service/URL = any

Action = Allow, URLFiltering=Corp-Filtering

 

Now create a new Security Policy for your users with a special site exception. You can do this with or without the service/URL category, however I strongly using the service/URL as this will restrict the rule to only being used when the allowed user is visiting the particular site being allowed. Otherwise the user will sometimes use the general internet rule and sometimes use the special allow rule (for non siharefile.com destinations), which can make reviewing logs a bit confusing (i.e. the special rule being used for google.com traffic as well):

Policies -> Security

Name = InternetAccess-Sharefile

SrcZone = Trust

SrcAddr = CorpIPs,VPNIPs

SrcUser = Alice,Bob,David

DstZone = Untrust

Service/URL = Sharefile-Allow

Action = Allow, URLFiltering=Sharefile-Filtering

 

Now when Alice, Bob, or David go to sharefile.com, their traffic will match the "InternetAccess-Sharefile" Security Policy and be filtered by the "Sharefile-Filtering" URL Filter, allowing the custom "Sharefile-Allow" site list. If Carol or Eve try to go to sharefile.com they will not match the user list, so they will default to the "InternetAccess" Security Policy and be filtered by "Corp-Filtering". When Alice, Bob, Carol, David, and Eve go to google.com, they again won't match the special rule URL list and will default to "InternetAccess". You can go on and add further specific Security Policies and filter rules for more sites (Facebook, Twitter, etc.) to allow individual users to specific sites, where the corporate-wide policy is to block.

Thanks Adrian! This solution worked and is very helpful. (I was close.  Just missing the last 3 steps.  lol!)  Cheers!

  • 1 accepted solution
  • 2013 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!