URL FILTERING IN PALO ALTO FIREWALL

-
URL Filtering in PALO ALTO requires configuration of below things, 
1 . Interface/Zone configuration 
2 . Static route Configuration . 
3 . NAT Configuration 
4 . URL Filtering Configuration 
5 . Security Policy Configuration 

Topology :



Interface , Router Config:

1 . Configure the interface which is connected to linux vm in private network and mgmt interface
config system interface
    edit "port1"
        set ip 10.10.9.11 255.255.255.0
        set allowaccess ping https ssh http fgfm
    next
    edit "port2"
        set ip 15.15.15.102 255.255.255.0
        set allowaccess ping https ssh http
    next
    edit "port3"
        set ip 10.48.110.206 255.255.255.0
        set allowaccess ping https ssh http
end
2 . Configure the interface which is connected to intenet

config system interface
    edit "port3"
        set ip 10.48.110.206 255.255.255.0
        set allowaccess ping https ssh http
end

3 . Set default route pointing to internet facing interface and route for mgmt purpose such as ssh
config router static
    edit 20
        set dst 10.20.2.0 255.255.255.0
        set gateway 10.10.9.1
        set device "port1"
    next
    edit 1
        set gateway 10.10.9.1
        set device "port1"
    next
end

4 . Creating zone for private and dmz interfaces
config system zone
    edit "dmz"
        set interface "port3"
    next
    edit "inside"
        set interface "port2"
    next
end

5 . Create web filter profile

config webfilter urlfilter
    edit 363
        set name "web-filter-demo"
        set comment "web-filter-demo"
        config entries
            edit 208
                set url "www.yahoo.com"
                set type wildcard
                set action allow
            next
            edit 284
                set url "www.whatsapp.com"
                set type wildcard
                set action allow
            next
            edit 224
                set url "www.google.com"
                set type wildcard
                set action allow
            next
            edit 241
                set url "www.sdxcentral.com"
                set type wildcard
                set action block
            next
            edit 236
                set url "www.cnn.com"
                set type wildcard
                set action block
            next
            edit 278
                set url "www.bbc.co.uk"
                set type wildcard
                set action block
            next
        end
    next
end

config webfilter profile
  edit "web-filter-demo"
        config web
            set urlfilter-table 363
        end
end

6 . Apply security policy from zone any to any

set rulebase security rules cli from any
set rulebase security rules cli source any
set rulebase security rules cli source-user any
set rulebase security rules cli to any
set rulebase security rules cli destination any
set rulebase security rules cli application any
set rulebase security rules cli service any
set rulebase security rules cli action allow
set rulebase security rules cli profile-setting profiles url-filtering google-block

Here from/to can be either zone or singel interface. 

Now if we try to access www.run.com on linux machine , Firewall will deny the access to it as URL request goes through firewall..



Comments

Post a Comment

Popular posts from this blog

URL FILTERING IN FORTIGATE

-
Image
URL Filtering in PALO ALTO requires configuration of below things,  1 . Interface/Zone configuration  2 . Static route Configuration .  3 . URL Filtering Configuration  4 . Security Policy Configuration  Topology : Interface , Router Config: 1 . Configure the interface which is connected to linux vm in private network and mgmt interface config system interface     edit "port1"         set ip 10.10.9.11 255.255.255.0         set allowaccess ping https ssh http fgfm     next     edit "port2"         set ip 15.15.15.102 255.255.255.0         set allowaccess ping https ssh http     next end 2 . Configure the interface which is connected to internet config system interface     edit "port3"         set ip 10.48.110.206 255.255.255.0         set allowaccess ping https ssh http     next end 3 . Set default route pointing to internet facing interface and route for mgmt network config router static     edit 20         set dst 10.20.
Read more

Packet over SONET/SDH

-
Image
Packet Over SONET/SDH : Many of us use the POS interfaces in the routers . So here we will have one small technical summary about POS(packet over SONET/SDH) POS also known as PPP over SONET/SDH . This is scheme which uses PPP encapsulation to map IP datagrams into the SONET/SDH payload . Why SONET/SDH payload and PPP are used for enacapsulation : Since SONET/SDH is point to point circuit , PPP is well suited here . POS layers : There are three pos layers. They are 1 . Bottom layer : mapping into SONET/SDH 2 . Mid layer - Framing of PPP with HDLC . 3 . Top layer – IP encapsulation into PPP Here I rememember Sridhar G , my mentor in HCL . I created the stream for POS interface and traffic was not success . At that time , he told me to select the HDLC in Agilent RT. For Ethernet , We use some other encapsulation in RT. Please share that info if u know. Operation of POS is : When transmitting : IP -> PPP->FCS generation->Byte stuffing->scrambling-SONET/SDH framing When rec
Read more