Palo Alto Networks Knowledgebase: How to Create a Security Policy to Block Selective Flash

How to Create a Security Policy to Block Selective Flash

3590
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
Resolution

Overview

This document describes how to write a Security Policy to block Adobe Flash by default, but allowing Flash on certain websites.
Note: This will work unless the domain uses a dynamic IP address. 

 

Steps

  1. Create address objects for example.com and example.org.
    Go to Objects > Address and add the addresses. For each address object, select type FQDN and enter the domain:
    User-added image
    User-added image
    Note: If example.com matches three dynamic IPs, then refresh the FQDN (default every 30 mins) accordingly.
     
  2. Create an Address Group.
    Go to Objects > Address Group and add the address objects for example.com and example.org.:
    User-added image
    User-added image
     
  3. Go to Policies > Security to create a Security Policy that includes the newly created address groups in the Destination Address. Include "Flash" as the application, and then set the action to "allow". Place this Security Policy at the top.
    User-added image
     
  4. Under the Security Policy above, create another Security Policy denying "Flash". It is important this needs to be the second rule from the top to block all other access to Flash.
    User-added image

 

owner: pchanda



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm9aCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language