About PSC_IT

Thanks, I'm using the User-ID Agent version 4.1.4-3.  I have both of those documents and looked through them, but didn't see anything about the group update rate.  BUT, going back again, I see there was a small section about the update rate in the Upgrade Tech Notes and I guess I completely missed it.  Oops. Anyways, thanks for the info....especially that CLI command since I have been using the web interface, I wouldn't have known about that CLI command. ... View more

Thanks for the info. I am currently running version 4.1.6 on my Palo Alto firewall.  I just changed the Update Interval to 60 seconds (the lowest possible value allowed) for the Group Mapping settings, so hopefully that will speed up the refresh process. One question about the method to force a refresh:  What effect will this have on the Palo Alto and its functionality?  Will it only affect the user-ID process, or are there any other side-effects?  About how long does it take for the User-ID process to restart once the command is issued?  And finally, is there a GUI version of the command or is it only CLI? Thanks again for the help. ... View more

True, I forgot about that part of Facebook....something for me to modify tomorrow :smileymischief: ... View more

That's very true if you want to allow limited access to Facebook/Twitter (i.e. look, but don't post), but in my case, if the selected person is allowed access to Facebook/Twitter, they are given full access to the site (except for whatever doesn't work because I don't feel like fixing it--like the "Jabber" App-ID needed for facebook-chat ). If our agency's Internet usage policy were to change, I could very easily change from the Facebook App-ID to more specific App-IDs, such as Facebook-base, Facebook-post, etc.... ... View more

Hi Thaigo, I'm not using URL filtering to block Facebook and Twitter, I'm using the Facebook and Twitter App-IDs to allow specific people through.  Everyone else hits the Deny All rule at the bottom. The URL filter is only for the web-browsing and SSL dependencies required for the Facebook and Twitter App-ID. Thanks ... View more

Thaigo, In fact, that's what I tried at first.  My very first attempt I had four rules, in the following order: Allow:  Source: (My PC); Destination: (Any); App-ID: (facebook, twitter); URL-category: (Any) Deny:  Source: (Any); Destination: (Any); App-ID: (facebook, twitter); URL-category: (Any) All Web-browsing:  Source: (Any); Destination: (Any); App-ID: (web-browsing, SSL); URL-category: (Any)  Profile: (URL Filter profile blocking "Social networking" category) Deny all:  Source: (Any); Destination: (Any); App-ID (Any); URL-category: (Any) The problem is that before Facebook or Twitter (or many other applications) can be identified, they start out as basic "SSL" (for Facebook, "web-browsing" for Twitter) and as additional traffic is received, the Palo Alto gets enough traffic to identify the application traffic as Facebook or Twitter or whatever.  So, the inital traffic (i.e. the first packet of the TCP connection) is classified with a "SSL" App-ID and hits rule #3, which has the URL filtering blocking social networking.  Rule #3 will then block the inital Facebook/Twitter traffic, killing the connection before any further traffic is identified as Facebook/Twitter--Rules #2 and Rule #3 are never used. My original issue was that the Facebook and Twitter App-IDs needed "web-browsing" and "ssl" App-IDs to work, but adding those two dependent App-IDs would have allowed too much access for the selected Facebook and Twitter users.  But adding the basic URL filter profile to restrict access would have stopped the Facebook and Twitter App-IDs from working.  A little bit of a Catch-22 right there.  The custom URL category allows me to have a second "web-browsing" and "ssl" rule that only applies to the specific users I am allowing access to Facebook and Twitter.  Everyone else would hit the main "web-browsing" rule near the bottom of the policy list. ... View more

As I was working on this earlier, I tried many different things and combinations of things, including adding more and more URLs to see if that helped or not.  When I got things working, I did not go back and clean up the URLs I added (yet). Anyways, after some more trial and error (mostly error), here's the "clean" version of the custom URL category.  Note that I removed the /* wildcard from the end of each URL--it seems to make everything work better. P.S.  I forgot to mention that the Facebook App-ID complained about a dependency call "jabber" needed for Facebook-chat.  I don't really care about the chat function in Facebook, so I probably won't put much effort in resolving this issue. ... View more