Use Case: Control Web Access

When using URL filtering to control user website access, there may be instances where granular control is required for a given website. In this use case, a URL filtering profile is applied to the security policy that allows web access for your users and the
social-networking
URL category is set to block, but the allow list in the URL profile is configured to allow the social networking site Facebook. To further control Facebook, the company policy also states that only marketing has full access to Facebook and all other users within the company can only read Facebook posts and cannot use any other Facebook applications, such as email, posting, chat, and file sharing. To accomplish this requirement, App-ID must be used to provide granular control over Facebook.
The first security rule will allow marketing to access the Facebook website as well as all Facebook applications. Because this allow rule will also allow access to the Internet, threat prevention profiles are applied to the rule, so traffic that matches the policy will be scanned for threats. This is important because the allow rule is terminal and will not continue to check other rules if there is a traffic match.
  1. Confirm that URL filtering is licensed.
    1. Select
      Device
      Licenses
      and confirm that a valid date appears for the URL filtering database that will used. This will either be PAN-DB or BrightCloud.
    2. If a valid license is not installed, see Enable PAN-DB URL Filtering.
  2. Confirm that User-ID is working. User-ID is required to create policies based on users and groups.
    1. To check Group Mapping from the CLI, enter the following command:
      show user group-mapping statistics
    2. To check User Mapping from the CLI, enter the following command:
      show user ip-user-mapping-mp all
    3. If statistics do not appear and/or IP address to user mapping information is not displayed, see User-ID.
  3. Set up a URL filtering profile by cloning the default profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      and select the
      default
      profile.
    2. Click the
      Clone
      icon. A new profile should appear named
      default-1
      .
    3. Select the new profile and rename it.
  4. Configure the URL filtering profile to block social-networking and allow Facebook.
    1. Modify the new URL filtering profile and in the
      Category
      list scroll to
      social-networking
      and in the
      Action
      column click on
      allow
      and change the action to
      block
      .
    2. In the
      Allow List
      , enter
      facebook.com
      , press enter to start a new line and then type
      *.facebook.com
      . Both of these formats are required, so all URL variants a user may use will be identified, such as facebook.com, www.facebook.com, and https://facebook.com.
      use-case-1-new-1.png
    3. Click
      OK
      to save the profile.
  5. Apply the new URL filtering profile to the security policy rule that allows web access from the user network to the Internet.
    1. Select
      Policies
      Security
      and click on the policy rule that allows web access.
    2. On the
      Actions
      tab, select the URL profile you just created from the
      URL Filtering
      drop-down.
      use-case-1-new-2.png
    3. Click
      OK
      to save.
  6. Create the security policy rule that will allow marketing access the Facebook website and all Facebook applications.
    This rule must precede other rules because:
    • It is a specific rule. More specific rules must precede other rules.
    • Allow rule will terminate when a traffic match occurs.
    1. Select
      Policies
      Security
      and click
      Add
      .
    2. Enter a
      Name
      and optionally a
      Description
      and
      Tag
      (s).
    3. On the
      Source
      tab add the zone where the users are connected.
    4. On the
      User
      tab in the
      Source User
      section click
      Add
      .
    5. Select the directory group that contains your
      marketing
      users.
    6. On the
      Destination
      tab, select the zone that is connected to the Internet.
    7. On the
      Applications
      tab, click
      Add
      and add the
      facebook
      App-ID signature.
    8. On the
      Actions
      tab, add the default profiles for
      Antivirus
      ,
      Vulnerability Protection
      , and
      Anti-Spyware
      .
    9. Click
      OK
      to save the security profile.
      The
      facebook
      App-ID signature used in this policy rule encompasses all Facebook applications, such as facebook-base, facebook-chat, and facebook-mail, so this is the only App-ID signature required in this rule.
      With this rule in place, when a marketing employee attempts to access the Facebook website or any Facebook application, the rule matches based on the user being part of the marketing group. For traffic from any user outside of marketing, the rule will be skipped because there would not be a traffic match and rule processing would continue.
  7. Configure the security policy to block all other users from using any Facebook applications other than simple web browsing. The easiest way to do this is to clone the marketing allow policy and then modify it.
    1. From
      Policies
      Security
      click the marketing Facebook allow policy you created earlier to highlight it and then click the
      Clone
      icon.
    2. Enter a
      Name
      and optionally enter a
      Description
      and
      Tag
      (‘s).
    3. On the
      User
      tab highlight the marketing group and delete it and in the drop-down select
      any
      .
    4. On the
      Applications
      tab, click the
      facebook
      App-ID signature and delete it.
    5. Click
      Add
      and add the following App-ID signatures:
      • facebook-apps
      • facebook-chat
      • facebook-file-sharing
      • facebook-mail
      • facebook-posting
      • facebook-social-plugin
    6. On the
      Actions
      tab in the
      Action Setting
      section, select
      Deny
      . The profile settings should already be correct because this rule was cloned.
      use-case-3-fb-readonly.png
    7. Click
      OK
      to save the security profile.
    8. Ensure that this new deny rule is listed after the marketing allow rule, to ensure that rule processing occurs in the correct order to allow marketing users and then to deny/limit all other users.
    9. Click
      Commit
      to save the configuration.
      With these security policy rules in place, any user who is part of the marketing group will have full access to all Facebook applications and any user that is not part of the marketing group will only have read-only access to the Facebook website and will not be able to use Facebook applications such as post, chat, email, and file sharing.

Related Documentation