URL Filtering Profiles
Where can I use
this? | What do I need? |
---|---|
|
|
URL Filtering profiles define how the firewall
handles traffic to specific URL categories. A URL Filtering profile
is a collection of URL filtering controls that you can apply to individual
Security policy rules that allow access to the internet. You can
set site access for URL categories, allow or disallow user credential
submissions, enable safe search enforcement, and various other settings.
To enforce the actions you define in a URL Filtering profile, you
need to apply profiles to Security policy rules. The firewall enforces
the profile actions on traffic that matches the Security policy
rule (for details, see Configure URL Filtering).
The firewall comes with a default profile that
blocks threat-prone categories, such as malware, phishing, and adult.
You can use the default profile in a Security policy rule, clone
it to be used as a starting point for new URL filtering profiles,
or add a new URL Filtering profile. You can then customize the newly-added
URL profiles and add lists of specific websites that should always
be blocked or allowed. For example, you may want to block social-networking
sites, but allow some websites that are part of the social-networking category.
By default, site access for all URL categories is set to allow when
you create
a basic URL Filtering profile. This means that the users
will be able to browse to all sites freely and the traffic is not
logged.
Learn more about configuring a best practice URL Filtering profile to
ensure protection against URLs that have been observed hosting malware
or exploitative content.
URL Filtering Profile Policy Actions
Actions
In a URL Filtering profile you can define
Site
Access
for URL categories, allow or disallow User
Credential Submissions
based on URL category (for example,
you can block user credential submissions to medium and high-risk
sites), and enable safe search
enforcement.Action | Description |
---|---|
Site Access | |
alert | The website is allowed and a log entry is
generated in the URL filtering log. Set alert as
the Action for categories of traffic you don’t block to log and
provide visibility into the traffic. |
allow | The website is allowed and no log entry
is generated. Don’t set allow as
the Action for categories of traffic you don’t block because you
lose visibility into traffic you don’t log. Instead, set alert as
the Action for categories of traffic you don’t block to log and
provide visibility into the traffic. |
block | The website is blocked and the user will
see a response page and will not be able to continue to the website.
A log entry is generated in the URL filtering log. Blocking
site access for a URL category also sets User Credential Submissions
for that URL category to block. |
continue | The user will be prompted with a response
page indicating that the site has been blocked due to company policy,
but the user is prompted with the option to continue to the website.
The continue action is typically used for
categories that are considered benign and is used to improve the
user experience by giving them the option to continue if they feel
the site is incorrectly categorized. The response page message can
be customized to contain details specific to your company. A log
entry is generated in the URL filtering log.The Continue
page doesn’t display properly on client systems configured to use
a proxy server. |
override | The user will see a response page indicating
that a password is required to allow access to websites in the given category.
With this option, the security admin or help desk person would provide
a password granting temporary access to all websites in the given
category. A log entry is generated in the URL filtering log. See Allow Password Access to Certain Sites. In
earlier release versions, URL Filtering category overrides had priority
enforcement ahead of custom URL categories. As part of the upgrade
to PAN-OS 9.0, URL category overrides are converted to custom URL
categories, and no longer receive priority enforcement over other
custom URL categories. Instead of the action you defined for the
category override in previous release versions, the new custom URL
category is enforced by the Security policy rule with the strictest
URL Filtering profile action. From most strict to least strict,
possible URL Filtering profile actions are: block, override, continue,
alert, and allow. This means that, if you had URL category
overrides with the action allow, there’s a possibility the overrides
might be blocked after they are converted to custom URL category
in PAN-OS 9.0. The Override page doesn’t display properly
on client systems configured to use a proxy server. |
none | The none action only
applies to custom URL categories. Select none to
ensure that if multiple URL profiles exist, the custom category
will not have any impact on other profiles. For example, if you
have two URL profiles and the custom URL category is set to block in
one profile, if you do not want the block action to apply to the
other profile, you must set the action to none .Also,
in order to delete a custom URL category, it must be set to none in
any profile where it is used. |
User Credential Permissions These
settings require you to first set
up credential phishing prevention. | |
alert | Allow users to submit corporate credentials
to sites in this URL category, but generate a URL Filtering alert
log each time this occurs. |
allow (default) | Allow users to submit corporate credentials
to websites in this URL category. |
block | Block users from submitting corporate credentials
to websites in this category. A default anti-phishing response page
is displayed to users when they access sites to which corporate
credential submissions are blocked. You can customize the block
page that displays. |
continue | Display a response page to users that prompts
them to select Continue to access to access the site. By default,
the Anti Phishing Continue Page is shown to user when they access
sites to which credential submissions are discouraged. You can customize the response
page to warn users against phishing attempts or reusing their
credentials on other websites, for example. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.