Palo Alto URL Filtering Category Block 設定

內容目錄

前言

主要參考該篇KB

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmgCAC

URL Filtering跟Category Block對於Firewall是基本的功能

不過URL Filtering在PA裡是需要License的功能

測試環境

PA VM: PanOS 8.1

PC: Win10

Block Page

可以設定兩種Block Page

  1. Application Block Page
  2. URL Filtering and Category Match Block Page

Application Block Page

首先到Device->Response Pages

找到Application Block Pages

要確認是Enable的狀態

確認是Enable的之後點選Application Block Page選項

會跳出Block Page的預設原始檔

勾選之後可以選擇下方的export

會拿到一份html檔案

檔案內容大致上就如下

<!DOCTYPE html>

<html lang="en">
<head>
    <base href="/login/">
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=.85">
    <meta http-equiv="pragma" content="no-cache">
    <title>Application Blocked</title>
    <link rel="stylesheet" href="css/latofonts.css">
    <style>
        body {
            background-color: #e8ebeb;
            font-family: Lato, 'Helvetica Neue', Helvetica, Arial, sans-serif;
            font-size: 16px;
            margin: 0;
            color: #070808;
        }

        a:link {
            color: #0993d1;
        }

        b,
        strong {
            font-weight: 500;
        }

        p {
            line-height: 1.2em;
        }

        button {
            overflow: visible;
        }

        button, input, optgroup, select, textarea {
            color: inherit;
            font: inherit;
            margin: 0;
        }

        .center {
            text-align: center;
            margin-left: auto;
            margin-right: auto;
        }

        #dError,
        .msg {
            color: #d94949;
            margin: 20px 0;
        }

        fieldset .msg {
            margin: 0;
        }

        #content {
            padding-top: 100px;
        }

        #content img {
            display: block;
            margin: auto;
        }

        #content h1 {
            font-style: normal;
            font-weight: normal;
            font-size: 36px;
            line-height: 43px;
            text-align: center;
            letter-spacing: 0.1px;
            color: #070808;
            margin: 10px auto 8px;
        }

        #content > p {
            text-align: center;
            margin-left: auto;
            margin-right: auto;
            width: 640px;
            font-size: 14px;
            line-height: 20px;
        }

        .response {
            background-color: #fff;
            color: #5a636b;
            margin: 24px auto 0;
            padding: 20px;
            font-size: 16px;
            width: 800px;
            border: 1px solid #c8cbce;
            box-sizing: border-box;
            border-radius: 8px;
        }

        .response p {
            margin: 0 0 1em;
        }

        .response p:last-child {
            margin: 0;
        }

        .response b {
            color: #070808;
        }

        .response .msg b {
            color: #d94949;
        }

        .response form td,
        .response form input {
            font-size: 1.1em;
            font-weight: bold;
        }

        .loading {
            margin: 2em auto 1em;
        }
    </style>
</head>

<body>
<div id="content" class="container">
    <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFQAAABgCAYAAACDgFV6AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAntSURBVHgB7Z1tTFvXGcef6xewAYMxmIQkgIFAAozEQBfRNpucKpMCW7d0UvahUzT2pV8TVLXZtGlxtlb7soikH/ohnZRMUaVuWbR2qkq0dcN0aUOrZWFElBcDpqOBYAI2YLDB4LvzXGrKi1/OheO3a/8kx9fnHGPfv895nuc8594TDgJgNpu1vnTNOY6HFgDeAAkCz3HmX//85UsQQxSBCvm0rL/U1VabTMefAW1ONsQ7nf/6BKwjNnAtuM2/+u1liKWo8q0Fv/zN707rcnN+1vLjH4FKlQ6JwBf/G4MZhxOqD1dCackBU0llDXT+42+dEANk2wpkYGr8Zh0kKjiqThxvxJ56EWLANkGB47WqdBUkMrEUdZOgNpvNkJGekQMSwC/qxdcvX4coIjilQZvtHOfjzd5VXltYWBC08aPxCbDbp6D2G9XC8aT9yab6emMtKBRrfg7t2tb6Y099bUoiUb8VFJXQAq9fhku/ePmnEAU467DtIs/zZn/Bvc/uw5GaKjAeqdnUcGVlBUbJSRiKi9ZFixf8Xv5gWSmYvvXMtnrL3U/A8lHXjWiIKuOBb6FpOEl6ZjyKSQP2VNO3G1uiMfxlwIOBpiGGJV7vCiQq0RJVJqaxUhmfvdPt8VC1i4ao1ArVErsqBTY6Ks4razWbW53AEFE9VCr4eyqvXO0wm9u0wJCkFBRZE/VpI2tRqQXFuA9DJykRCVGpBZ2bd8W1l1fI5eCcnQOxsBaVmduen58HVmg0GlHtFST6yM/Pg+6eXmg8Vg97CwpEvf8rR2W0fHQPRT2xG0fFRNBP//2APP4DrPjeqZNQZiihbm8oKoIhMlOqPlQB12/+EUoNxURUPYhFq80xOp2zuxKVWlClQh40Ds3P14Ge9JClpWVggT4vT1R7Q0kRPJqYEI5R1DmXSxBYLFmZanC5XEaOX8UEUWQFPXyoMmhdOelN5SJ6FGtwOnysoV4QccbhgPT0tO1tSGdQysOf7tT0DPi8q7BTEm9iHgS1WsVk8vHgYS8suHc+0pI2DsX0Iz5YQ91D+wcGoaS4WOgJgXgyPS3KhmYTT67RZIHUoBbUuxLcruzEy6MXR28uNZjY0LLSYtHD58C+vSBFmAiKYc4Pv98MiQROHiIxlaYWVJerjdt86E7IjpD9plZo/75CSBGepA2bIgW1oFJL3dmnpmIbh/YNWIVl2mBx6Dym9+JQdPy+atX27xypVCQTL4O9t48E/vEITiAOk4RJtGAiqJCceKoeUkgoOSKWVBzKmFQcmiCk4lDGUAtKe7lLohDzOHRo2BYyDr3z939CPLJHr4c6Y23AukjEosy8zKnvPAeJhEKhJF7eBaxJ2VDGJK2gaLoisQRDHzYVFga1n4kIzu8DzfF3C3UP1emYXvUnWVI2lDHUQx7j0FBD5GFvH8QjOGUONMvDewZmZhxwsLwUWMIsDt1ToCdxnRfijWjftcLs0wr0+ZAiZUOZk4pDGUM95EPZz0Qk5nGolMSMJMycUiRSYSxQq9VC6BQtqAXF/KEuNzdgGIJrM/G6jKwh3ymQoDGPQ/HedE2WJqCgWBbNpdp4JhU2MSYlKGOSdl0el5EjMVWmFrSK2MhE3M0hGHgue3Zwc1g4qIe8lMSMJCkbyhhqQTFwl9I1om63JyI5XGpBE30Tl2iRGvKMSQnKGFGuO9TljLiFRjRNwv79hbtKv+G54Bzf/fAhuO7dA3dPDyxPTkLzwgJWj55pasLnbjz28fx75NlSdefOaLi/y2SbIXRWUbevPOyKRYsFlt5+G+yZmZBeVgaakydBuW8fyDb8SN7xcaN3YsLoGRk5vXj/Pgw2N99Y9fkuhRKWGxwa2fTVgu19JxW8pBeOv/Ya+UF4yCYiopg0rDocsEBEnfvwQ6eM465UfPBBwF10k8qGEjFg7JVXQF1VBfqXXqIWE5GT1CX+AIUXLmhlWq15sKmpLVC7pNlmCMV8cv065L34ImQdPw47BYXde+ECZDQ0nCeidmytp7ahuM1QAbGTwaagLDL2Ol1uRNZ5cJjb33wT9pw7JwgSCp/Hg7YzbO/NPXMGn0yDAG2V7e2t/nJm9ymxyNgLNxIwFnTObgf7q6+C9vnnw4qJQk6+8YZwnNnQ4BctKDnkby6NjJwfaGrqPNTe/i6WMbtPKR4z9gsLi/D4T7cgo7gYh2jY9u7PP990nBumPUYEKPrUtWttD0wmS53F4hS16plIt9XgaHncPwDQ1QU5J8XvHOFzu6naoWkgD4NKpTqPr6kFxXX5RErhoU1fHeiHjFJD2KG+W9D7k1DqB3gsybBpfZ++T7sgo7oaIg32UjL8jSPNzSWSFBQ3wxKwWiGtvByigaqmBpZ5/gVqQTF3iDnEeAe/o9A7v/wS0goLN00lIwl+FsEguR7qWktuoLLAqdUQLWTksziez5GcoEvLbDY0FAs6Po7j6Hsoprri9fqljbDaIVIsGGaRNN+sqLuRcUaE1ziNfjEmlNUbj6yHUhvL/dTWVK9ftReoHpem/Zuv4hLL0PBI0Pp5lwv6+gfD1uf6Q6Q8nZAhEsNGe6sQGWoJn8Vxo6ICSxSvQK8XHlsJVk5bjyMg1K4Qmqwsqnrr8Ff7huryYIXMy3FuTuuY1MRTY4oOxcl69lkQg8dmIxlBvltyi+0ymQx8Pt/aiwMHYHl4WAhpaEA7iAmUnbBC8gAEyzYbqkxTgmcpcW/l3jQ9rj0K8x9/DGLAHk0SHqLeg+1XHI5uzORvE7SI2Mr+wWFIVDam/7jGRliamMCTpXovZpvGzWZMdoDj1i2gBX804pCu4vE2QfF6Hxw279x+Dx6T1FeikUXWiNbBONT0HLU4W7NNVO/p7QVPb+8o6Z038HVAG/r0sQboITOjd27/FZzOWUg0Tn/3FGRmZgjH3IkTsPRZF7ju3g2bqVeTeT+2w2GfSZHuw54/+/77eLieYOaswyMOsl4l7TtjZ6aBu9IG+rNnhZXNUKCYqzMzYdshdpKM9jx6hKugZn+ZjOe5bpA6JITiz/4Ept56S7CTocAQi0Z0tLNEzD9sFBPh+qxWk5yTd0AyQBIm/O+vQXZdnZDD3An4g0zfvAleh+Pq4fb281vrOfxnwDpsJvPQmPw/mFGHDH/+9p9BMTYmiEqzNIKgvXQRb05srJN49Fa/E9oK5z/o67MZZHLezMnhqNRsKjlJw7ZCknzmLR2gINmpNJIgziDBv1yrBblOJwx7FBBnTNgj0eOTWBOFvOrxeK7g2lGIz5I+QmdR8h0BhSVmAIaswPf8V0j5AXFIsLhIcgF5a2HXwQrgKiu7V0dtL1S1to6G+6ykENRP3+BQC4mxLwYUNgA8XiiG1zJVHrwBlCSVoH7QEXOc7LQMZEeJbEZS5DdxTqIIXm3XyfO+d6sqKiwgkv8DR1QQUUMZmhsAAAAASUVORK5CYII=" alt="Error">
    <h1>Against Acceptable Use Policy</h1>
    <div class="response">
        <p>The application you are trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>
	<img src="https://i.kym-cdn.com/entries/icons/original/000/002/144/You_Shall_Not_Pass!_0-1_screenshot.jpg" alt="blockImage" style="width:700px;height:600px;">
        <p><b>User:</b> <user/></p>
        <p><b>Application:</b> <appname/></p>
    </div>
</div>
</body>
</html>

我只有將顯示的圖片修改放進去

並且使用瀏覽器預覽檔案的結果

確認完後就放回到PA的Application Block Page當中

就在剛才Export的旁邊有一個import

放進去之後就可以看到你的檔案也在PA上

URL Filtering Block Page

URL Filtering Block Page的頁面編輯跟Application Block Page的做法一樣

重複一樣的事情即可

我修改成如下

Application Block Policy

有了頁面之後就會需要設定policy來觸發

到Policy->Security的頁面新增Policy

Source跟Destination可以自己指定

最重要的功能在Application欄位

下列功能是我Block Facebook所有功能設定的Policy

URL category執行預設即可

這條Policy主要就是把Facebook-base application給deny掉

這樣即可

URL Filtering Block Profile

再來是設定URL Filtering的物件

到Objects->Security Profiles->URL Filtering

會有一個default的存在

我這邊不動這個default的profile直接clone一個

或是你要直接編輯default的也可以

因為預設的裡面就是覺得會有問題的Category sets

所以我先把全部的category給block掉

按Site Access->Set All Actions->block即可

好了之後按下ok

跟Application Block一樣必須在Policy裡面選用這個物件

到Policy->Security->Add

Source跟Destination測試用我先過any any

Application除了block的profile的之外都讓其通過

URL Category用預設的即可

而Action的部分除了URL Filtering要Block選擇剛才所設定的Block Category Profile之外都允許通過

好了之後就把Policy的順序條一下

先把Block URL往前調

之後再去block掉特定的Application

Interface management

要注意的是mgmt要有開response page

到Network->Interfaces Mgmt

然後點選該mgmt interface檢查

以及確認出去的網卡是吃該mgmt的

都完成後就可以測試能否Block Page了

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。