10-21-2022 12:46 PM
We currently block access to Online storage using URL Filtering and make exemptions to online-storage sites like Sharefile using custom URL Category with list of URLs that we want to exempt. However, this setup lets everyone in the company have access to Sharefile. I am trying to figure out a way to instead of Sharefile being accessible to everyone, it will be based on the user.
I deleted the *.sharefile.com from my exemption list and created a security policy that allows the internal source and a list of users with Destination to any, Application "sharefile" with default application and Service/URL Category of custom category "Sharefile Domains" that contains the needed URLs for Sharefile. I have this policy on top. However, when I try to access, URL filter is still blocking.
Thoughts? Thanks for all the help!
10-21-2022 04:35 PM - edited 10-21-2022 04:43 PM
So there are a few different ways of doing this depending on how your security rules and URL filtering are setup. It sounds like you have created a URL based security rule, but have not unblocked URL filtering or added a separate category in different filters to allow. Allowing this exception also requires that you have UserID and Decryption running effectively (decryption not so much as for domain-wide you can probably get away with just SNI detection).
This is how we do it with allowing specific users to access Dropbox/Facebook/etc. where general users are blocked. First, you should have a custom URL Category for your target site. Be sure to add terminating "/" to prevent unintended expansion to other URLs. You may also want to have additional custom URL Categories for things to always allow/block in all cases:
Objects -> Custom Objects -> URL Category
Name = Sharefile-Allow
sharefile.com/
*.sharefile.com/
Your general corporate-wide URL Filtering rule should have your new custom URL Category set to "none". Set "online-storage-and-backup" to "block":
Objects -> Security Profiles -> URL Filtering
Name = Corp-Filtering
ᐁ Custom URL Categories:
CorpAlwaysAllow = allow,allow
CorpAlwaysBlock = block,block
Sharefile-Allow = none,none
....
ᐁ Predefined Categories
...
online-storage-and-backup = block,block
...
Now create a new URL Filtering rule that will be for your allowed users to a specific site. Keep the online-storage-and-backup category set to "block" to block non-targeted sites. (You can do this as either a combined rule with many allowed custom URL Categories or a single allowed category, we find having individual URL Filtering rules easier when dealing with many overlapping users who have different exceptions for different sites):
Objects -> Security Profiles -> URL Filtering
name = Sharefile-Filtering
ᐁ Custom URL Categories:
CorpAlwaysAllow = allow,allow
CorpAlwaysBlock = block,block
Sharefile-Allow = allow,allow
....
ᐁ Predefined Categories
...
online-storage-and-backup = block,block
...
Your existing users should have a general outbound Internet rule which applies your standard URL filtering and data inspection rules. This will block all online-storage-and-backup by default:
Policies -> Security
Name = InternetAccess
SrcZone = Trust
SrcAddr = CorpIPs,VPNIPs
SrcUser = any
DstZone = Untrust
Service/URL = any
Action = Allow, URLFiltering=Corp-Filtering
Now create a new Security Policy for your users with a special site exception. You can do this with or without the service/URL category, however I strongly using the service/URL as this will restrict the rule to only being used when the allowed user is visiting the particular site being allowed. Otherwise the user will sometimes use the general internet rule and sometimes use the special allow rule (for non siharefile.com destinations), which can make reviewing logs a bit confusing (i.e. the special rule being used for google.com traffic as well):
Policies -> Security
Name = InternetAccess-Sharefile
SrcZone = Trust
SrcAddr = CorpIPs,VPNIPs
SrcUser = Alice,Bob,David
DstZone = Untrust
Service/URL = Sharefile-Allow
Action = Allow, URLFiltering=Sharefile-Filtering
Now when Alice, Bob, or David go to sharefile.com, their traffic will match the "InternetAccess-Sharefile" Security Policy and be filtered by the "Sharefile-Filtering" URL Filter, allowing the custom "Sharefile-Allow" site list. If Carol or Eve try to go to sharefile.com they will not match the user list, so they will default to the "InternetAccess" Security Policy and be filtered by "Corp-Filtering". When Alice, Bob, Carol, David, and Eve go to google.com, they again won't match the special rule URL list and will default to "InternetAccess". You can go on and add further specific Security Policies and filter rules for more sites (Facebook, Twitter, etc.) to allow individual users to specific sites, where the corporate-wide policy is to block.
10-21-2022 04:35 PM - edited 10-21-2022 04:43 PM
So there are a few different ways of doing this depending on how your security rules and URL filtering are setup. It sounds like you have created a URL based security rule, but have not unblocked URL filtering or added a separate category in different filters to allow. Allowing this exception also requires that you have UserID and Decryption running effectively (decryption not so much as for domain-wide you can probably get away with just SNI detection).
This is how we do it with allowing specific users to access Dropbox/Facebook/etc. where general users are blocked. First, you should have a custom URL Category for your target site. Be sure to add terminating "/" to prevent unintended expansion to other URLs. You may also want to have additional custom URL Categories for things to always allow/block in all cases:
Objects -> Custom Objects -> URL Category
Name = Sharefile-Allow
sharefile.com/
*.sharefile.com/
Your general corporate-wide URL Filtering rule should have your new custom URL Category set to "none". Set "online-storage-and-backup" to "block":
Objects -> Security Profiles -> URL Filtering
Name = Corp-Filtering
ᐁ Custom URL Categories:
CorpAlwaysAllow = allow,allow
CorpAlwaysBlock = block,block
Sharefile-Allow = none,none
....
ᐁ Predefined Categories
...
online-storage-and-backup = block,block
...
Now create a new URL Filtering rule that will be for your allowed users to a specific site. Keep the online-storage-and-backup category set to "block" to block non-targeted sites. (You can do this as either a combined rule with many allowed custom URL Categories or a single allowed category, we find having individual URL Filtering rules easier when dealing with many overlapping users who have different exceptions for different sites):
Objects -> Security Profiles -> URL Filtering
name = Sharefile-Filtering
ᐁ Custom URL Categories:
CorpAlwaysAllow = allow,allow
CorpAlwaysBlock = block,block
Sharefile-Allow = allow,allow
....
ᐁ Predefined Categories
...
online-storage-and-backup = block,block
...
Your existing users should have a general outbound Internet rule which applies your standard URL filtering and data inspection rules. This will block all online-storage-and-backup by default:
Policies -> Security
Name = InternetAccess
SrcZone = Trust
SrcAddr = CorpIPs,VPNIPs
SrcUser = any
DstZone = Untrust
Service/URL = any
Action = Allow, URLFiltering=Corp-Filtering
Now create a new Security Policy for your users with a special site exception. You can do this with or without the service/URL category, however I strongly using the service/URL as this will restrict the rule to only being used when the allowed user is visiting the particular site being allowed. Otherwise the user will sometimes use the general internet rule and sometimes use the special allow rule (for non siharefile.com destinations), which can make reviewing logs a bit confusing (i.e. the special rule being used for google.com traffic as well):
Policies -> Security
Name = InternetAccess-Sharefile
SrcZone = Trust
SrcAddr = CorpIPs,VPNIPs
SrcUser = Alice,Bob,David
DstZone = Untrust
Service/URL = Sharefile-Allow
Action = Allow, URLFiltering=Sharefile-Filtering
Now when Alice, Bob, or David go to sharefile.com, their traffic will match the "InternetAccess-Sharefile" Security Policy and be filtered by the "Sharefile-Filtering" URL Filter, allowing the custom "Sharefile-Allow" site list. If Carol or Eve try to go to sharefile.com they will not match the user list, so they will default to the "InternetAccess" Security Policy and be filtered by "Corp-Filtering". When Alice, Bob, Carol, David, and Eve go to google.com, they again won't match the special rule URL list and will default to "InternetAccess". You can go on and add further specific Security Policies and filter rules for more sites (Facebook, Twitter, etc.) to allow individual users to specific sites, where the corporate-wide policy is to block.
10-24-2022 08:25 AM
Thanks Adrian! This solution worked and is very helpful. (I was close. Just missing the last 3 steps. lol!) Cheers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
