Use Case: Control Web Access
When using URL filtering to control user website access, there may be instances where granular control is required for a given website. In this use case, a URL filtering policy is applied to the security policy that allows web access for your users and the social-networking URL category is set to block, but the allow list in the URL profile is configured to allow the social networking site Facebook. To further control Facebook, the company policy also states that only marketing has full access to Facebook and all other users within the company can only read Facebook posts and cannot use any other Facebook applications, such as email, posting, chat, and file sharing. To accomplish this requirement, App-ID must be used to provide granular control over Facebook.
The first security rule will allow marketing to access the Facebook website as well as all Facebook applications. Because this allow rule will also allow access to the Internet, threat prevention profiles are applied to the rule, so traffic that matches the policy will be scanned for threats. This is important because the allow rule is terminal and will not continue to check other rules if there is a traffic match.
Control Web Access
Confirm that URL filtering is licensed. Select Device > Licenses and confirm that a valid date appears for the URL filtering database that will used. This will either be PAN-DB or BrightCloud. If a valid license is not installed, see Enable URL Filtering.
Confirm that User-ID is working. User-ID is required to create policies based on users and groups. To check group mapping, from the CLI, enter the following command: show user group-mapping statistics To check user mapping, from the CLI, enter the following command: show user ip-user-mapping-mp all If statistics do not appear and/or IP to user mapping information is not displayed, see User-ID.
Set up a URL filtering profile by cloning the default profile. Select Objects > Security Profiles > URL Filtering and select the default profile. Click the Clone icon. A new profile should appear named default-1. Select the new profile and rename it.
Configure the URL filtering profile to block social-networking and allow Facebook. Modify the new URL filtering profile and in the Category list scroll to social-networking and in the Action column click on allow and change the action to block. In the Allow List box, type, press enter to start a new line and then type * Both of these formats are required, so all URL variants a user may use will be identified, such as,, and
Click OK to save the profile.
Apply the new URL filtering profile to the security policy rule that allows web access from the user network to the Internet. Select Policies > Security and click on the policy rule that allows web access. On the Actions tab, select the URL profile you just created from the URL Filtering drop down.
Click OK to save.
Create the security policy that will allow marketing access the Facebook website and all Facebook applications. This rule must precede other rules because it is more specific than the other policies and because it is an allow rule, which will terminate when a traffic match occurs. Select Policies > Security and click Add. Enter a Name and optionally a Description and Tag (s). On the Source tab add the zone where the users are connected. On the User tab in the Source User section click Add. Select the directory group that contains your marketing users. On the Destination tab, select the zone that is connected to the Internet. On the Applications tab, click Add and add the facebook App-ID signature. On the Actions tab, add the default profiles for Antivirus, Vulnerability Protection, and Anti-Spyware.
Click OK to save the security profile. The facebook App-ID signature used in this policy encompasses all Facebook applications, such as facebook-base, facebook-chat, and facebook-mail, so this is the only App-ID signature required in this rule. With this policy in place, when a marketing employee attempts to access the Facebook website or any Facebook application, the rule matches based on the user being part of the marketing group. For traffic from any user outside of marketing, the rule will be skipped because there would not be a traffic match and rule processing would continue.
Configure the security policy to block all other users from using any Facebook applications, other than simple web browsing. The easiest way to do this is to clone the marketing allow policy and then modify it. From Policies > Security click the marketing Facebook allow policy you created earlier to highlight it and then click the Clone icon. Enter a Name and optionally enter a Description and Tag (‘s). On the User tab highlight the marketing group and delete it and in the drop-down select any. On the Applications tab, click the facebook App-ID signature and delete it. Click Add and add the following App-ID signatures: facebook-apps facebook-chat facebook-file-sharing facebook-mail facebook-posting facebook-social-plugin On the Actions tab in the Action Setting section, select Deny. The profile settings should already be correct because this rule was cloned.
Click OK to save the security profile. Ensure that this new deny rule is listed after the marketing allow rule, to ensure that rule processing occurs in the correct order to allow marketing users and then to deny/limit all other users. Click Commit to save the configuration.
With these policies in place, any user who is part of the marketing group will have full access to all Facebook applications and any user that is not part of the marketing group will only have read-only access to the Facebook website and will not be able to use Facebook functions such as post, chat, email, and file sharing.

Related Documentation