URL FILTERING IN FORTIGATE

-
URL Filtering in PALO ALTO requires configuration of below things, 
1 . Interface/Zone configuration 
2 . Static route Configuration . 
3 . URL Filtering Configuration 
4 . Security Policy Configuration 

Topology :



Interface , Router Config:

1 . Configure the interface which is connected to linux vm in private network and mgmt interface
config system interface
    edit "port1"
        set ip 10.10.9.11 255.255.255.0
        set allowaccess ping https ssh http fgfm
    next
    edit "port2"
        set ip 15.15.15.102 255.255.255.0
        set allowaccess ping https ssh http
    next
end

2 . Configure the interface which is connected to internet
config system interface
    edit "port3"
        set ip 10.48.110.206 255.255.255.0
        set allowaccess ping https ssh http
    next
end

3 . Set default route pointing to internet facing interface and route for mgmt network
config router static
    edit 20
        set dst 10.20.2.0 255.255.255.0
        set gateway 10.10.9.1
        set device "port1"
    next
    edit 1
        set gateway 10.10.9.1
        set device "port1"
    next
end

4 . Create Zone configuration
config system zone
    edit "dmz"
        set interface "port3"
    next
    edit "inside"
        set interface "port2"
    next
end


5 . Create web filter profile

config webfilter urlfilter
    edit 363
        set name "web-filter-demo"
        set comment "web-filter-demo"
        config entries
            edit 208
                set url "www.yahoo.com"
                set type wildcard
                set action allow
            next
            edit 284
                set url "www.whatsapp.com"
                set type wildcard
                set action allow
            next
            edit 224
                set url "www.google.com"
                set type wildcard
                set action allow
            next
            edit 241
                set url "www.sdxcentral.com"
                set type wildcard
                set action block
            next
            edit 236
                set url "www.cnn.com"
                set type wildcard
                set action block
            next
            edit 278
                set url "www.bbc.co.uk"
                set type wildcard
                set action block
            next
        end
    next
end

config webfilter profile
    edit "web-filter-demo"
        config web
            set urlfilter-table 363
        end
    next
end

6 . Apply security policy from zone any to any

config firewall policy
    edit 1
        set name "security-policy-demo"
        set uuid e816fe0e-982c-51e7-d0cd-665a119a7840
        set srcintf "inside"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set comments "security-policy-demo-on-pan-os"
        set webfilter-profile "web-filter-demo"
        set profile-protocol-options "default"
        set nat enable
    next
end

Here from/to can be either zone or singel interface. 

Now if we try to access www.run.com on linux machine , Firewall will deny the access to it as URL request goes through firewall..



Comments

Post a Comment

Popular posts from this blog

URL FILTERING IN PALO ALTO FIREWALL

-
Image
URL Filtering in PALO ALTO requires configuration of below things,  1 . Interface/Zone configuration  2 . Static route Configuration .  3 . NAT Configuration  4 . URL Filtering Configuration  5 . Security Policy Configuration  Topology : Interface , Router Config: 1 . Configure the interface which is connected to linux vm in private network and mgmt interface config system interface     edit "port1"         set ip 10.10.9.11 255.255.255.0         set allowaccess ping https ssh http fgfm     next     edit "port2"         set ip 15.15.15.102 255.255.255.0         set allowaccess ping https ssh http     next     edit "port3"         set ip 10.48.110.206 255.255.255.0         set allowaccess ping https ssh http end 2 . Configure the interface which is connected to intenet config system interface     edit "port3"         set ip 10.48.110.206 255.255.255.0         set allowaccess ping https ssh http end 3 . Set default rou
Read more

Packet over SONET/SDH

-
Image
Packet Over SONET/SDH : Many of us use the POS interfaces in the routers . So here we will have one small technical summary about POS(packet over SONET/SDH) POS also known as PPP over SONET/SDH . This is scheme which uses PPP encapsulation to map IP datagrams into the SONET/SDH payload . Why SONET/SDH payload and PPP are used for enacapsulation : Since SONET/SDH is point to point circuit , PPP is well suited here . POS layers : There are three pos layers. They are 1 . Bottom layer : mapping into SONET/SDH 2 . Mid layer - Framing of PPP with HDLC . 3 . Top layer – IP encapsulation into PPP Here I rememember Sridhar G , my mentor in HCL . I created the stream for POS interface and traffic was not success . At that time , he told me to select the HDLC in Agilent RT. For Ethernet , We use some other encapsulation in RT. Please share that info if u know. Operation of POS is : When transmitting : IP -> PPP->FCS generation->Byte stuffing->scrambling-SONET/SDH framing When rec
Read more