Focus

Advanced URL Filtering

Prisma Access

Table of Contents

Prisma Access

If you’re using Panorama to manage Prisma Access:

Toggle over to the PAN-OS
tab and follow the guidance there.

If you’re using Prisma Access Cloud Management, continue here.

Go to the URL Access Management dashboard.

Select

Manage

Configuration

Security Services

URL Access Management

Select

Settings

Create a URL admin override password.

Go to URL Admin Overrides, and

Add URL Admin Overrides

(Optional) Select a

Mode

for prompting users for the password:

Transparent

—The password prompt appears to originate from the original destination URL. The firewall intercepts the browser traffic destined for sites in a URL category set to override and issues an HTTP 302 to prompt for the password, which applies on a per-vsys level.

Redirect

—The password prompt appears from an

Address

(IP address or DNS hostname) that you specify. The firewall intercepts HTTP or HTTPS traffic to a URL category set to override and uses an HTTP 302 redirect to send the request to a Layer 3 interface on the firewall.

Enter a

Password

, then enter it again to

Confirm Password

(Optional) Select an

SSL/TLS Service Profile

You can create and manage SSL/TLS service profiles by clicking

Create New

and

Manage

, respectively.

Save

your changes.

(Optional) Set the duration of override access and password lockouts.

By default, users can access websites in categories for which they have successfully entered an override password for 15 minutes. After the default or custom interval passes, users must re-enter the password.

By default, users are blocked for 30 minutes after three failed password attempts. After the user is locked out for the default or custom duration, they can try to access the websites again.

Customize the General Settings.

For

URL Admin Override Timeout

, enter a value (in minutes) from 1 to 86,400.

For

URL Admin Lockout Timeout

, enter a value (in minutes) from 1 to 86,400.

Save

your changes.

Specify the URL categories that require password access.

On the URL Access Management dashboard, under the

Access Control

tab, go to URL Access Management Profiles and modify or

Add Profile

Under Access Control, select the categories that require password access.

With all the categories selected, click

Set Access

and then select

Override

You should see that Site Access for the highlighted categories now say

override

Save

your changes.

Apply the URL Access Management profile to a Security policy rule.

A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.

Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure to

Push Config

when you are done.