Advanced URL Filtering
URL Filtering Profiles
Table of Contents
URL Filtering Profiles
Define website access for URL categories and configure user credential submission and
safe search enforcement settings.
| Where can I use this? | What do I need? |
|---|---|
|
Notes:
|
URL Filtering profiles define how the firewall handles traffic to specific
URL categories. A URL Filtering profile is a collection of URL filtering controls that
you apply to individual Security policy rules that allow access to the internet. You can
configure site access for URL categories, allow or disallow user credential submissions,
enable safe search enforcement, and various other settings. To enforce the actions
defined in a URL Filtering profile, apply the profile to Security policy rules. The
firewall enforces the profile actions on traffic that matches the Security policy rule
(for details, see Configure URL Filtering).
The firewall comes with a default profile that blocks threat-prone
categories, such as malware, phishing, and adult. You can use the default profile in a
Security policy rule, clone it to be used as a starting point for new URL Filtering
profiles, or add a new URL Filtering profile. You can customize newly-added URL
Filtering profiles and add lists of specific websites that should
always be blocked or allowed. For example, you can block the social-networking category
but allow access to specific websites in that category. By default, site access for all
URL categories is set to allow when you create a basic URL
Filtering profile. This means that users will be able to browse to all sites
freely and the traffic is not logged.
Create a best practice URL Filtering profile to
ensure protection against URLs that have been observed hosting malware or
exploitative content.
URL Filtering Profile Actions
In a URL Filtering profile, you can define Site Access for URL
categories, allow or disallow User Credential Submissions
based on URL category (for example, you can block user credential submissions to
medium and high-risk sites), and enable safe search
enforcement.
|
Action
|
Description
|
|---|---|
|
Site Access
| |
|
alert
|
The website is allowed and a log entry is generated in the
URL filtering log.
Set alert as the Action for
categories of traffic you don’t block to log and provide
visibility into the traffic. |
|
allow
|
The website is allowed and no log entry is generated.
Don’t set allow as the Action for
categories of traffic you don’t block because you lose
visibility into traffic you don’t log. Instead, set
alert as the Action for
categories of traffic you don’t block to log and provide
visibility into the traffic. |
|
block
|
The website is blocked and the user will see a response page
and will not be able to continue to the website. A log entry
is generated in the URL filtering log.
Blocking site access for a URL category also sets User
Credential Submissions for that URL category to block.
|
|
continue
|
The user will be prompted with a response page indicating
that the site has been blocked due to company policy, but
the user is prompted with the option to continue to the
website. The continue action is
typically used for categories that are considered benign and
is used to improve the user experience by giving them the
option to continue if they feel the site is incorrectly
categorized. The response page message can be customized to
contain details specific to your company. A log entry is
generated in the URL filtering log.
The Continue page doesn’t display properly on client
systems configured to use a proxy server. |
|
override
|
The user will see a response page indicating that a password
is required to allow access to websites in the given
category. With this option, the security admin or help desk
person would provide a password granting temporary access to
all websites in the given category. A log entry is generated
in the URL filtering log. See Allow Password Access to Certain Sites.
In earlier release versions, URL Filtering category overrides
had priority enforcement ahead of custom URL categories. As
part of the upgrade to PAN-OS 9.0, URL category overrides
are converted to custom URL categories, and no longer
receive priority enforcement over other custom URL
categories. Instead of the action you defined for the
category override in previous release versions, the new
custom URL category is enforced by the Security policy rule
with the strictest URL Filtering profile action. From most
strict to least strict, possible URL Filtering profile
actions are: block, override, continue, alert, and
allow.
This means that, if you had URL category overrides with the
action allow, there’s a possibility the overrides might be
blocked after they are converted to custom URL category in
PAN-OS 9.0.
The Override page doesn’t display properly on client
systems configured to use a proxy server. |
|
none
|
The none action only applies to custom
URL categories. Select none to ensure
that if multiple URL profiles exist, the custom category
will not have any impact on other profiles. For example, if
you have two URL profiles and the custom URL category is set
to block in one profile, if you do
not want the block action to apply to the other profile, you
must set the action to none.
Also, in order to delete a custom URL category, it must be
set to none in any profile where it
is used.
|
|
User Credential Permissions
These settings require you to first set up credential phishing
prevention. | |
|
alert
|
Allow users to submit corporate credentials to sites in this
URL category, but generate a URL Filtering alert log each
time this occurs.
|
|
allow (default)
|
Allow users to submit corporate credentials to websites in
this URL category.
|
|
block
|
Block users from submitting corporate credentials to websites
in this category. A default anti-phishing response page is
displayed to users when they access sites to which corporate
credential submissions are blocked. You can customize the
block page that displays.
|
|
continue
|
Display a response page to users that prompts them to select
Continue to access to access the site. By default, the Anti
Phishing Continue Page is shown to user when they access
sites to which credential submissions are discouraged. You
can customize the
response page to warn users against phishing
attempts or reusing their credentials on other websites, for
example.
|
For categories that you alert on, instead of block, you can strictly control how
users interact with site content. For example, give users access to the resources
they need (like developer blogs for research purposes or cloud storage services),
but take the following precautions to reduce exposure to web-based threats:
- Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and obfuscated JavaScript for sites that you're alerting on.
- Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
- Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.