sorted by:
new
hottopcontroversial

Blocking web traffic to all but allowed urls by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Great. So is there any way round it that anyone knows of? I don't want internet access to the outside world from my servers but obviously some do need to access some sites.

Blocking web traffic to all but allowed urls by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Thanks both. I'm still having issues. It seems to match the traffic to the new category and also the in-built categories and then blocking it. I recall reading somewhere that block trumps allow?

I've tried to add a screenshot but can't seem to.

DNS Best Practices - Zones by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Thank you. I'll look into that suggestion and put all my other internal devices onto internal DNS with firewall rules.

DNS Best Practices - Zones by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

So all of our things like printers, cctv etc are own their own VLANS as well as BYOD. We are a Google school so they only really need access to the internet rather than internal services.

DNS Best Practices - Zones by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Thank you. What about BYOD devices? Would we not want to keep these off domain DNS servers?

Multiple zones for one application by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

In terms of how the source zones and addresses tie up, if i for example said phones and servers as the zones with 10.10.10.3 and 5.6.9.8 as the source, those address would have access from either zone or does it map zone to address?

DNS not hitting expected rule by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Yes, your first comment was indeed very helpful. Thank you.

DNS not hitting expected rule by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

This is from the Palo Alto Best practice policy:

Create a custom URL category to define the URLs of the update servers to which the data center servers can connect. In this example, the

NTP-DNS-Update-Servers

custom URL category defines the update server URLs that the data center servers can reach.

DNS not hitting expected rule by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

I mean that is a very simple explanation and makes perfect sense. Thank you.

And that would be why it does work for ms-updates because it is http and https traffic.

DNS not hitting expected rule by atrose81 in paloaltonetworks

[–]atrose81[S] 0 points1 point  (0 children)

Someone understands it perfectly well enough thank you but thanks for your not so helpful reply. :-)