11-17-2022 04:57 PM
For our isolated network I need to block all devices from using the internet but I need to access services like ms updates, sophos etc that require SSL for a couple servers. When applying policies with the required application these require SSL/web-browsing.
We are having trouble finding a work around.
The IP's are dynamic so nailing down the exact IP's seem futile. We tried to apply the url's or wildcard addresses for these services in a URL group in the policy, but this still allows internet to these servers.
Any suggestions are appreciated.
Using Panorama 10.1.6 with firewall PA-440 and other sites with PA-410
11-17-2022 08:13 PM - edited 11-17-2022 08:16 PM
Hello, you can create a Policy, allow apps ssl, web-browser, and microsoft update app ( Microsoft Update use port 80/443 ) and create a custom category URL, with allowed microsoft update subdomains, put in the URL category in the secure policy.
microsoft update subdomains/FQDN:
Whit that only allow ssl/https and microsft update app to the destination for the Microsoft update services. You can doit the same for Sophos.
Of course it will allow access to the servers to the Internet, but only at the level of the destination in the URL custom category, and nothing else. Additional to protect add profile security policy. And then with another rule close all the rest of the servers access, a total deny of all the rest and above/free the policy of ms-update, web-browser, ssl only to the URLs in question (ms-update and sophos).
Cheers
11-17-2022 08:13 PM - edited 11-17-2022 08:16 PM
Hello, you can create a Policy, allow apps ssl, web-browser, and microsoft update app ( Microsoft Update use port 80/443 ) and create a custom category URL, with allowed microsoft update subdomains, put in the URL category in the secure policy.
microsoft update subdomains/FQDN:
Whit that only allow ssl/https and microsft update app to the destination for the Microsoft update services. You can doit the same for Sophos.
Of course it will allow access to the servers to the Internet, but only at the level of the destination in the URL custom category, and nothing else. Additional to protect add profile security policy. And then with another rule close all the rest of the servers access, a total deny of all the rest and above/free the policy of ms-update, web-browser, ssl only to the URLs in question (ms-update and sophos).
Cheers
11-18-2022 05:14 AM
Thank you for the quick reply. I will be working on this today and let you know how it goes. Thank you!
11-21-2022 05:18 AM
Worked great! Much appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
