Control Web Access
When using URL filtering to control user website access, there may be instances where granular control is required for a given website. In this use case, a URL filtering profile is applied to the security policy that allows web access for your users and the
social-networkingURL category is set to block, but the allow list in the URL profile is configured to allow the social networking site Facebook. To further control Facebook, the company policy also states that only marketing has full access to Facebook and all other users within the company can only read Facebook posts and cannot use any other Facebook applications, such as email, posting, chat, and file sharing. To accomplish this requirement, App-ID must be used to provide granular control over Facebook.
The first security rule will allow marketing to access the Facebook website as well as all Facebook applications. Because this allow rule will also allow access to the Internet, threat prevention profiles are applied to the rule, so traffic that matches the policy will be scanned for threats. This is important because the allow rule is terminal and will not continue to check other rules if there is a traffic match.
- Confirm that URL filtering is licensed.
- Selectand confirm that a valid date appears for the URL filtering database that will used. This will either be PAN-DB or BrightCloud.DeviceLicenses
- If a valid license is not installed, see Enable PAN-DB URL Filtering.
- Confirm that User-ID is working. User-ID is required to create policies based on users and groups.
- Set up a URL filtering profile by cloning the default profile.
- Selectand select theObjectsSecurity ProfilesURL Filteringdefaultprofile.
- Click theCloneicon. A new profile should appear nameddefault-1.
- Select the new profile and rename it.
- Configure the URL filtering profile to block social-networking and allow Facebook.
- Modify the new URL filtering profile and in theCategorylist scroll tosocial-networkingand in theActioncolumn click onallowand change the action toblock.
- In theAllow List, enterfacebook.com, press enter to start a new line and then type*.facebook.com. Both of these formats are required, so all URL variants a user may use will be identified, such as facebook.com, www.facebook.com, and https://facebook.com.
- ClickOKto save the profile.
- Apply the new URL filtering profile to the security policy rule that allows web access from the user network to the Internet.
- Selectand click on the policy rule that allows web access.PoliciesSecurity
- On theActionstab, select the URL profile you just created from theURL Filteringdrop-down.
- ClickOKto save.
- Create the security policy rule that will allow marketing access the Facebook website and all Facebook applications.This rule must precede other rules because:
- It is a specific rule. More specific rules must precede other rules.
- Allow rule will terminate when a traffic match occurs.
- Selectand clickPoliciesSecurityAdd.
- Enter aNameand optionally aDescriptionandTag(s).
- On theSourcetab add the zone where the users are connected.
- On theUsertab in theSource Usersection clickAdd.
- Select the directory group that contains yourmarketingusers.
- On theDestinationtab, select the zone that is connected to the Internet.
- On theApplicationstab, clickAddand add the
- On theActionstab, add the default profiles forAntivirus,Vulnerability Protection, andAnti-Spyware.
- ClickOKto save the security profile.TheWith this rule in place, when a marketing employee attempts to access the Facebook website or any Facebook application, the rule matches based on the user being part of the marketing group. For traffic from any user outside of marketing, the rule will be skipped because there would not be a traffic match and rule processing would continue.
- Configure the security policy to block all other users from using any Facebook applications other than simple web browsing. The easiest way to do this is to clone the marketing allow policy and then modify it.
- Fromclick the marketing Facebook allow policy you created earlier to highlight it and then click thePoliciesSecurityCloneicon.
- Enter aNameand optionally enter aDescriptionandTag(‘s).
- On theUsertab highlight the marketing group and delete it and in the drop-down selectany.
- On theApplicationstab, click the
- ClickAddand add the following App-ID signatures:
- On theActionstab in theAction Settingsection, selectDeny. The profile settings should already be correct because this rule was cloned.
- ClickOKto save the security profile.
- Ensure that this new deny rule is listed after the marketing allow rule, to ensure that rule processing occurs in the correct order to allow marketing users and then to deny/limit all other users.
- ClickCommitto save the configuration.With these security policy rules in place, any user who is part of the marketing group will have full access to all Facebook applications and any user that is not part of the marketing group will only have read-only access to the Facebook website and will not be able to use Facebook applications such as post, chat, email, and file sharing.