Follow these steps to configure URL Filtering profiles and settings that meet your organization’s business and security needs.
- Create a URL Filtering profile.SelectandObjectsSecurity ProfilesURL FilteringAddor modify a URL Filtering profile.
- Define site access for each URL category.SelectCategoriesand set the Site Access for each URL category:
- allowtraffic destined for that URL category; allowed traffic is not logged.
- Selectalertto have visibility into sites that users are accessing. Traffic matching that category is allowed but a URL filtering log is generated to record when a user accesses a site in that category.
- Selectblockto deny access to traffic that matches that category and to enable logging of the blocked traffic.
- Selectcontinueto display a page to users with a warning and require them to clickContinueto proceed to a site in that category.
- To only allow access if users provide a configured password, selectoverride. For more details, see Allow Password Access to Certain Sites.
- Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID™ associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
- SelectUser Credential Detection.
- Select one of the methods to check for corporate credential submissions to web pages from theUser Credential Detectiondrop-down:
This method is prone to false positives in environments that do not have uniquely structured usernames, so you should only use this method to protect your high-value user accounts.
- Use IP User Mapping—Checks for valid corporate username submissions and verifies that the username matches the user logged in to the source IP address of the session. The firewall matches the submitted username against its IP address-to-username mapping table. You can use any of the user mapping methods described in Map IP Addresses to Users.
- Use Domain Credential Filter—Checks for valid corporate usernames and password submissions and verifies that the username maps to the IP address of the logged-in user. See Configure Credential Detection with the Windows-based User-ID Agent for instructions on how to set up User-ID to enable this method.
- Use Group Mapping—Checks for valid username submissions based on the user-to-group mapping table populated when you configure the firewall to map users to groups.With group mapping, you can apply credential detection toanypart of the directory or to a specific group, such as groups like IT that have access to your most sensitive applications.
- Set theValid Username Detected Log Severitythat the firewall uses to log detection of corporate credential submissions (default is medium).
- Allow or block users from submitting corporate credentials to sites based on URL category to prevent credential phishing.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
- For each URL category to which you allowSite Access, select how you want to treatUser Credential Submissions:
- alert—Allow users to submit credentials to the website but generate a URL filtering alert log each time a user submits credentials to sites in this URL category.
- allow(default)—Allow users to submit credentials to the website.
- Configure the URL Filtering profile to detect corporate credential submissions to websites in allowed URL categories.
- Define URL category exceptions to specify websites that should always be blocked or allowed, regardless of URL category.For example, to reduce URL filtering logs, you may want to add your corporate websites to the allow list so that no logs are generated for those sites or, if there is a website that is being overly used and is not work-related, you can add that site to the block list.The policy actions configured for custom URL categories have priority enforcement over matching URLs in external dynamic lists.Traffic to websites in the block list is always blocked regardless of the action for the associated category and traffic to URLs in the allow list is always allowed.For more information on the proper format and wildcard usage, review the URL Category Exception Guidelines.
- Enable Safe Search Enforcement.
- Log only the page a user visits for URL filtering events.
- SelectURL Filtering Settingsand enableLog container page only(default) so that the firewall logs only the main page that matches the category, not subsequent pages or categories that load within the container page.
- To enable logging for all pages and categories, disable theLog container page onlyoption.
- Enable HTTP Header Logging for one or more of the supported HTTP header fields.SelectURL Filtering Settingsand select one or more of the following fields to log:
- Save the URL Filtering profile.ClickOK.
- Apply the URL Filtering profile to Security policy rules that allow traffic from clients in the trust zone to the Internet.Make sure theSource Zonein the Security policy rules to which you add URL Filtering profiles is set to a protected internal network.
- Select. Then, select a Security policy rule to modify.PoliciesSecurity
- On theActionstab, edit the Profile Setting.
- ForProfile Type, selectProfiles. A list of profiles appears.
- ForURL Filteringprofile, select the profile you just created.
- ClickOKto save your changes.
- Committhe configuration.
- (Best Practice) EnableHold client request for category lookupto block client requests while the firewall performs URL category lookups.
- SelectHold client request for category lookup.
- Commityour changes.
- Set the amount of time, in seconds, before a URL category lookup times out.
- Select.DeviceSetupContent-IDgear icon
- Enter a number forCategory lookup timeout (sec).
- Commityour changes.
Recommended For You
Recommended videos not found.