Focus

Advanced URL Filtering

Prisma Access

Table of Contents

Prisma Access

If you’re using Panorama to manage Prisma Access:

Toggle over to the PAN-OS
tab and follow the guidance there.

If you’re using Prisma Access Cloud Management, continue here.

URL filtering is also sometimes called URL Access Management
in Prisma Access cloud mangaement.

Check that your Prisma Access subscription covers Advanced URL Filtering.

Go to Manage > Service Setup > Overview > Licenses to confirm what’s included with your subscription.

Explore the URL Access Management Dashboard.

Go to

Manage

Configuration

Security Services

URL Access Management

Move between the

Access Control

Settings

, and

Best Practices

tabs to explore the available URL filtering features.

Review and customize General URL Filtering Settings.

On the dashboard, go to

Settings

to see the default URL Filtering settings that apply across your Prisma Access environment, including:

URL Filtering timeout and lookup settings

URL Filtering overrides for certain admins

URL Filtering response pages

Remote Browser Isolation (RBI) settings

Automatically append end tokens to URLs in an EDL or a custom URL category

If you use URLs in custom URL categories or external dynamic lists (EDLs) and do not append an ending token, it is possible to allow more URLs than you intended. For example, entering example.com as a matching URL instead of example.com/ would also match example.com.website.info or example.com.br.Prisma Access can automatically set an ending token to URLs in EDLs or custom URL categories so that, if you enter example.com, Prisma Access treats it as it would treat example.com/ and only match that URL.

Go to

Settings

General Settings

and enable the option to

Append End Token to Entries

You can customize these settings for each deployment type (mobile users, remote networks, or service connections).

Create a URL Access Management profile.

On the URL Access Management dashboard,

Add Profile

and continue to specify web access settings:

Access Control

displays the URL categories and lists for which you can define web access and usage policy. By default, the

Site Access

and

User Credential Submission

permissions for all categories are set to

Allow

For each URL category, configure

User Credential Detection

so that users can submit credentials only to sites in specified URL categories.

Enable

Safe Search Enforcement

to enforce strict safe search filtering.

Enable

Log Container Page Only

to log only those URLs that match the content type that is specified.

Enabling

HTTP Header Logging

provides visibility into the attributes in the HTTP request sent to a server.

Use the

Advanced URL Inline Categorization

to enable and configure real-time web page analysis and manage URL exceptions.

Enable local Inline Categorization

—Enables real-time analysis of URL traffic using machine learning models, to detect and prevent malicious phishing variants and JavaScript exploits from entering your network.

Enable cloud Inline Categorization

—Enables real-time analysis of URLs by forwarding suspicious web page contents to the cloud for supplemental analysis, using machine learning based detectors that complement the analysis engines used by local inline ML.

You can define URL

Exceptions

for specific web sites to exclude from inline machine learning actions.

Note that:

Best practice checks are built-in to the profile to give you a live evaluation of your configuration.

After you’ve finished enabling a profile, you can examine profile usage to see if any security policy rules are referencing the profile.

Apply the URL Access Management profile to a Security policy rule.

A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.

Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure to

Push Config