Use Case: Control Web Access
When using URL filtering to control user website access, there may be instances where granular control is required for a given website. In this use case, a URL filtering profile is applied to the security policy that allows web access for your users and the social-networking URL category is set to block, but the allow list in the URL profile is configured to allow the social networking site Facebook. To further control Facebook, the company policy also states that only marketing has full access to Facebook and all other users within the company can only read Facebook posts and cannot use any other Facebook applications, such as email, posting, chat, and file sharing. To accomplish this requirement, App-ID must be used to provide granular control over Facebook.
The first Security policy rule will allow marketing to access the Facebook website as well as all Facebook applications. Because this allow rule will also allow access to the Internet, threat prevention profiles are applied to the rule, so traffic that matches the policy will be scanned for threats. This is important because the allow rule is terminal and will not continue to check other rules if there is a traffic match.
- Confirm that URL filtering is licensed.
- Select DeviceLicenses and confirm that a valid date appears for the URL filtering database that will used. This will either be PAN-DB or BrightCloud.
- If a valid license is not installed, see Enable PAN-DB URL Filtering.
- Confirm that User-ID is working. User-ID is required to create policies based on users and groups.
- Set up a URL filtering profile by cloning the default
- Select ObjectsSecurity ProfilesURL Filtering and select the default profile.
- Click the Clone icon. A new profile should appear named default-1.
- Select the new profile and rename it.
- Configure the URL filtering profile to block social-networking
and allow Facebook.
- Modify the new URL filtering profile and in the Category list scroll to social-networking and in the Action column click on allow and change the action to block.
- In the Allow List, enter facebook.com, press enter to start a new line and then type *.facebook.com. Both of these formats are required, so all URL variants a user may use will be identified, such as facebook.com, www.facebook.com, and https://facebook.com.
- Click OK to save the profile.
- Apply the new URL filtering profile to the security policy
rule that allows web access from the user network to the Internet.
- Select PoliciesSecurity and click on the policy rule that allows web access.
- On the Actions tab, select the URL profile you just created from the URL Filtering drop-down.
- Click OK to save.
- Create the security policy rule that will allow marketing
access the Facebook website and all Facebook applications.This rule must precede other rules because:
- It is a specific rule. More specific rules must precede other rules.
- Allow rule will terminate when a traffic match occurs.
- Select PoliciesSecurity and click Add.
- Enter a Name and optionally a Description and Tag(s).
- On the Source tab add the zone where the users are connected.
- On the User tab in the Source User section click Add.
- Select the directory group that contains your marketing users.
- On the Destination tab, select the zone that is connected to the Internet.
- On the Applications tab, click Add and add the facebook App-ID signature.
- On the Actions tab, add the default profiles for Antivirus, Vulnerability Protection, and Anti-Spyware.
- Click OK to save the security
profile.The facebook App-ID signature used in this policy rule encompasses all Facebook applications, such as facebook-base, facebook-chat, and facebook-mail, so this is the only App-ID signature required in this rule.With this rule in place, when a marketing employee attempts to access the Facebook website or any Facebook application, the rule matches based on the user being part of the marketing group. For traffic from any user outside of marketing, the rule will be skipped because there would not be a traffic match and rule processing would continue.
- Configure the security policy to block all other users
from using any Facebook applications other than simple web browsing.
The easiest way to do this is to clone the marketing allow policy
and then modify it.
- From PoliciesSecurity click the marketing Facebook allow policy you created earlier to highlight it and then click the Clone icon.
- Enter a Name and optionally enter a Description and Tag(‘s).
- On the User tab highlight the marketing group and delete it and in the drop-down select any.
- On the Applications tab, click the facebook App-ID signature and delete it.
- Click Add and add the following
- On the Actions tab in the Action Setting section, select Deny. The profile settings should already be correct because this rule was cloned.
- Click OK to save the security profile.
- Ensure that this new deny rule is listed after the marketing allow rule, to ensure that rule processing occurs in the correct order to allow marketing users and then to deny/limit all other users.
- Click Commit to save the configuration.With these security policy rules in place, any user who is part of the marketing group will have full access to all Facebook applications and any user that is not part of the marketing group will only have read-only access to the Facebook website and will not be able to use Facebook applications such as post, chat, email, and file sharing.
Use Device Groups to Push Policy Rules
Use Device Groups to Push Policy Rules The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage ...
URL Filtering Use Cases
URL Filtering Use Cases The following use cases show how to use App-ID to control a specific set of web-based applications and how to use ...
URL Filtering Profile
URL Filtering Profile A URL filtering profile is a collection of URL filtering controls that you can apply to individual security policy rules to enforce ...
Interaction Between App-ID and URL Categories
Interaction Between App-ID and URL Categories The Palo Alto Networks URL filtering solution in combination with App-ID provides unprecedented protection against a full spectrum of ...
Group Mapping To define policy rules based on user or group, first you create an LDAP server profile that defines how the firewall connects and ...
Determine URL Filtering Policy Requirements
Determine URL Filtering Policy Requirements The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile ...
Use Case: Use URL Categories for Policy Matching
Use Case: Use URL Categories for Policy Matching You can also use URL categories as match criteria in the following policy types: Authentication, Decryption, Security, ...
URL Categories Each website defined in the URL filtering database is assigned a URL category. Here are a few ways to leverage URL categories: Block ...
Control Access to Web Content
Control Access to Web Content URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize ...