URL FILTERING IN PALO ALTO FIREWALL
URL Filtering in PALO ALTO requires configuration of below things,
1 . Interface/Zone configuration
2 . Static route Configuration .
3 . NAT Configuration
4 . URL Filtering Configuration
5 . Security Policy Configuration
Topology :
edit "port1"
set ip 10.10.9.11 255.255.255.0
set allowaccess ping https ssh http fgfm
next
edit "port2"
set ip 15.15.15.102 255.255.255.0
set allowaccess ping https ssh http
next
edit "port3"
set ip 10.48.110.206 255.255.255.0
set allowaccess ping https ssh http
end
config system interface
edit "port3"
set ip 10.48.110.206 255.255.255.0
set allowaccess ping https ssh http
end
4 . Creating zone for private and dmz interfaces
config system zone
edit "dmz"
set interface "port3"
next
edit "inside"
set interface "port2"
next
end
config webfilter urlfilter
edit 363
set name "web-filter-demo"
set comment "web-filter-demo"
config entries
edit 208
set url "www.yahoo.com"
set type wildcard
set action allow
next
edit 284
set url "www.whatsapp.com"
set type wildcard
set action allow
next
edit 224
set url "www.google.com"
set type wildcard
set action allow
next
edit 241
set url "www.sdxcentral.com"
set type wildcard
set action block
next
edit 236
set url "www.cnn.com"
set type wildcard
set action block
next
edit 278
set url "www.bbc.co.uk"
set type wildcard
set action block
next
end
next
end
config webfilter profile
edit "web-filter-demo"
config web
set urlfilter-table 363
end
end
1 . Interface/Zone configuration
2 . Static route Configuration .
3 . NAT Configuration
4 . URL Filtering Configuration
5 . Security Policy Configuration
Topology :
Interface , Router Config:
1 . Configure the interface which is connected to linux vm in private network and mgmt interface
config system interfaceedit "port1"
set ip 10.10.9.11 255.255.255.0
set allowaccess ping https ssh http fgfm
next
edit "port2"
set ip 15.15.15.102 255.255.255.0
set allowaccess ping https ssh http
next
edit "port3"
set ip 10.48.110.206 255.255.255.0
set allowaccess ping https ssh http
end
2 . Configure the interface which is connected to intenet
config system interface
edit "port3"
set ip 10.48.110.206 255.255.255.0
set allowaccess ping https ssh http
end
3 . Set default route pointing to internet facing interface and route for mgmt purpose such as ssh
config router static
edit 20
set dst 10.20.2.0 255.255.255.0
set gateway 10.10.9.1
set device "port1"
next
edit 1
set gateway 10.10.9.1
set device "port1"
next
end
edit 20
set dst 10.20.2.0 255.255.255.0
set gateway 10.10.9.1
set device "port1"
next
edit 1
set gateway 10.10.9.1
set device "port1"
next
end
4 . Creating zone for private and dmz interfaces
config system zone
edit "dmz"
set interface "port3"
next
edit "inside"
set interface "port2"
next
end
5 . Create web filter profile
edit 363
set name "web-filter-demo"
set comment "web-filter-demo"
config entries
edit 208
set url "www.yahoo.com"
set type wildcard
set action allow
next
edit 284
set url "www.whatsapp.com"
set type wildcard
set action allow
next
edit 224
set url "www.google.com"
set type wildcard
set action allow
next
edit 241
set url "www.sdxcentral.com"
set type wildcard
set action block
next
edit 236
set url "www.cnn.com"
set type wildcard
set action block
next
edit 278
set url "www.bbc.co.uk"
set type wildcard
set action block
next
end
next
end
config webfilter profile
edit "web-filter-demo"
config web
set urlfilter-table 363
end
end
6 . Apply security policy from zone any to any
set rulebase security rules cli from any
set rulebase security rules cli source any
set rulebase security rules cli source-user any
set rulebase security rules cli to any
set rulebase security rules cli destination any
set rulebase security rules cli application any
set rulebase security rules cli service any
set rulebase security rules cli action allow
set rulebase security rules cli profile-setting profiles url-filtering google-block
Here from/to can be either zone or singel interface.
Now if we try to access www.run.com on linux machine , Firewall will deny the access to it as URL request goes through firewall..
Comments
Post a Comment