Transition URL Filtering Profiles Safely to Best Practices

Apply URL Filtering profiles to allow rules to protect against risky websites and content without risking application availability.
Use the following guidance to help determine whether to start with block or alert actions as you define the initial URL Filtering profiles and begin the transition to best practice profiles. Apply URL Filtering files to internet traffic (do not apply URL Filtering profiles to internal traffic).
URL Filtering requires a subscription to the PAN-DB URL filtering database.
  • The pre-defined URL categories are very accurate, so it’s safe to implement URL Filtering profiles with category actions configured according to your company policy for allowing or denying access to different types of sites.
  • Block known-bad URL categories from the start, including malware, command-and-control, copyright-infringement, extremism, phishing, and proxy-avoidance-and-anonymizers.
  • For the unknown (sites PAN-DB has not yet identified), dynamic-dns (these sites are often used to deliver malware payloads or command-and-control traffic), parked (often used for credential phishing), and newly-registered-domains (often used for malicious activity) URL categories, it’s best to alert initially so you can monitor the URL Filtering logs (
    Monitor
    Logs
    URL Filtering
    ) in case legitimate websites trigger alerts before you move to the best practice of blocking these categories.
  • Configure the security-focused high-risk and medium-risk based URL categories to alert (this is the default action). Monitor the URL Filtering logs to see if you want to allow access to the sites these categories control, if you want to block these categories completely, or if you want to allow access to some sites and block the rest.
When you have the initial profiles in place, monitor the URL Filtering logs for enough time to gain confidence you understand whether any business-critical sites will be blocked if you transition from alerting to blocking and to best practice URL Filtering profiles. If you believe a given URL isn’t categorized correctly, request URL recategorization to have the URL placed in the correct category.

Related Documentation