How to achieve a "Deny All" at the end of my URL/Cloud App Policy

Hello community,
As part of a ZIA deployment, we are trying to follow a security model that allows only what we need and blocks everything else. (as a more secure approach that block certain things and allow everything else).

The problem that we are facing now is due to the fact that there is an implicit (an invisible) allow all at the end of the URL Filtering/Cloud App Control for ZIA.

That takes me to my question, how can achieve a security model that allows only what I need and blocks everything else?

How about configuring a URL block policy at the end of the list and enable “Allow Cascading to URL Filtering” in the advanced setting?

2 Likes

That actually came to my mind, but I did not see an option to select “any” under URL Categories, so Im not sure how to achieve a “Block All URLs” any ideas??

you can simply not select any category and that will treat it as “any”. i just tried this and it seem to work fine. :slight_smile:
Thanks
Kural

3 Likes

Great, Thanks KArangasamy for taking your time to assist with this. I don’t have a way to test, so it was helpful.
Much appreciate it !!

Hello KArangasamy

I was giving it more thoughts to that solution, and now I have another big concern with it.
Lets say I enable cascade and create a block all URL filtering rule at the end, so far so good.

Thing is, what would happen with everything that I have allowed under Cloud Apps?

If I want to allow lets say Gmail, I go to webmail Cloud App and allow Gmail, but because of the cascade thing, Gmail traffic will be analyzed against the URL Filtering rule set as well, so I still will need to allow Gmail URLs on the URL filtering, basically, App Cloud Control will loose purposes at all for everything that is allowed there and I will have to “double-allow” everything allowed in Cloud App also in URL filtering, which in some cases will be difficult, (example Google Drive, what URLs should I allow for that to work)
Any thoughts?

Yes, that would be a problem. “Allow Cascading to URL Filtering” advanced setting is enabled when you need to enforce URL filtering policy for the Cloud apps in addition to cloud app policy. typically this setting is enabled when you want to apply more restrictive policy either from cloud app or url policy. you’ll need explicit policy on both places to enable the app. its more restrictive that way. without this setting enabled, they work independently and cloud app policy takes precedence. here is an excerpt from the help text for more context:

"By default, the Cloud App Control policy takes precedence over the URL Filtering policy. If a user requests a Cloud App that you explicitly allow with Cloud App Control policy, the service only applies the Cloud App Control policy and not the URL Filtering policy. For example, if you have a Cloud App Control policy rule that allows viewing Facebook, but a URL Filtering policy rule that blocks www.facebook.com, a user will still be allowed to view Facebook. This is because, by default, the service does not apply the URL Filtering policy if a Cloud App Control policy rule allows the transaction.

However, this behavior changes if you enable Allow Cascading to URL Filtering in Advanced Settings. If you do, the service applies the URL Filtering policy even if it applies a Cloud App Control policy rule allowing the transaction. Therefore in the example above, with cascading enabled, the service will apply the URL Filtering policy and block the user from Facebook. If the example changed so that you had a Cloud Control Policy rule that blocked Facebook, while URL Filtering allowed it, Facebook would be blocked even if Allow Cascading to URL Filtering was enabled. If a user requests a Cloud App for which you have not configured a Cloud App Control policy rule (for example, the user requests eBay.com, and you don’t have a Cloud App Control rule for eBay.com), the service still evaluates and applies the URL Filtering policy."
HTH.

Thanks
Kural

2 Likes