To those who've pitched in on this I say thanks ... we now have a working solution although there was no single response that had a definitive answer due to a few caveats as I'll detail below. A couple of observations about this topic. A URL filtering license IS NOT required to create and administer specific user-defined URL filters Read and understand what can and cannot be done with url filters and specifically wild cards ( refer to help under: *Objects > Security Profiles > URL Filtering ). Pay special attention to the syntax. When creating the policy be aware that binding the browser ports to 80/8080/443 as defined in the pre-defined 'service' (under Policies > Security > [your] Security Policy Rule > 'Service/URL Category') will break (as intended) any url that needs to run on something other than one of these native ports (see explanation below). Do not precede your filter definitions with 'http or https' (see number 2 above) Do not attempt to include specific port numbers in your URL filter as the command interpreter will accept this but it doesn't appear to work (use a wild card in place of the port number). <<< someone may want to double check me on this one >>> A custom URL category to 'Block All' only need contain the single character " * " If you desire to allow only a specific (lengthy) URL and not everything 'upstream' (think of a directory structure) special care must be taken when creating not only what is allowed but what is denied. What we did.... There are 4 basic steps: Define the custom URL category for what is banned or blocked (Objects > Custom URL Category).. " * " works if you want to block everything or you can do something like " wiki.info.acme.com/* " .... this blocks everything below this high level URL (but what about exceptions? .. see # 2 below) Create a new Security URL Profile (Objects > Security Profiles > URL Filtering). Call it something like 'URL Filter'. In the category field select the custom category you created in step 1 and ensure it is set to action = block. In my case I set all the categories to 'block' even though we don't have a URL filtering license. 2a. While still in the URL filtering profile section put the URL you want to allow in the 'Allow List' box on the left side of the dialogue box. These are the exceptions to what is blocked and take precedence over what is defined in the categories. Pay special attention to the syntax (see observations # 2 and 4 above) Create a new policy to permit the special URL (Policies > Security). Call it 'Selective URL Permit'. In the application section you can select any, or 'web-browsing' if you want a bit more security. If your URL does not use native ports (80/8080/443) DO NOT select http/https as services under the 'Service/URL Category' tab. In the Actions tab select "URL Filter" as configured in step 2 above. Commit the change What goofed us up in this was a combination of: not being sure the URL license was or was not needed; the fact that the URL we were working with did not use native ports; confusion over the 'service' function in the Security Policy Rule; syntax errors; uncertainty over how long a URL filter could be. I hope this helps .. bottom line is we needed more clues to make it work and the time to experiment ... like most things, it was simple once we got past a few hurdles. Dan
... View more