How to Redirect Users to Accept Confirmation on the Public Network
Resolution
Overview
In many companies, users must be aware and comply with the corporate internet usage policy. When an employee leaves the corporate intranet and enters a public network, the company usually wants to notify their employees. This is because the employees' activities might be monitored and thus must comply to the corporate policy. This document will show how this is possible with the Palo Alto Networks firewall.
Details
For this scenario, a custom URL category is being used, which will have the Action of "continue" attached to it. In the custom URL category, the home page is set to default, so every new browser session opens to the default web page (provided the user first opens the web browser). This will redirect the traffic to the firewall until the user reads the notification and clicks Continue.
In order to achieve the above actions, the domain administrator will need to use the Group Policy Object (GPO) to push the default page to all the machines in the domain, so that all users are visiting the same default home web page.
Steps
- Create a GPO for the Windows domain machines to point to the desired home page.
Go to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > URLs/Important URLs and customize the home page URL. The policy should look like something similar to the example below: - On the WebUI, create a custom response page for the URL continue page.
Go to Device > Response Pages > URL Filtering Continue and Override Page and export the Predefined by selecting the Export button at the bottom of the window. Make the desired changes on the file and then import it back into the firewall by selecting the Import button at the bottom. - Create a Custom URL Category, including the default home page that is set up for the domain machines.
Go to Objects > Custom Objects >URL Category. In this example, "paloaltonetworks.com" will be used, and the Custom URL Category will be called "Home_Page", as shown below: - Create a URL Filtering Profile that will be attached to the Security Policy.
Make sure to put the "continue" Action to the custom category from the previous step (Home_Page) (Objects > Security Profiles > URL Filtering): - Attach the URL Profile to a security rule (Policies > Security).
During rule creation, select the URL Filtering Profile (created before) under the Actions tab in Profile Setting.
If Internet Explorer browser is open, instead of going to the default home page defined by the admin, the request will be redirected to the Palo Alto Networks firewall and the notification configured in step 2 will be displayed. The results should be similar to the following output in the browser, as shown below:
After clicking on Continue, the default web page will be opened again.
owner: ialeksov