Transition URL Filtering Profiles Safely to Best Practices
Apply URL Filtering profiles to allow rules to protect
against risky websites and content without risking application availability.
Use the following guidance to help determine
whether to start with block or alert actions as you define the initial
URL Filtering profiles and begin the transition to best practice
profiles. Apply URL Filtering files to internet traffic (do not apply
URL Filtering profiles to internal traffic).
URL Filtering requires a subscription to the PAN-DB URL filtering
The pre-defined URL categories are very accurate, so
it’s safe to implement URL Filtering profiles with category actions
configured according to your company policy for allowing or denying
access to different types of sites.
Block known-bad URL categories from the start, including
malware, command-and-control, copyright-infringement, extremism,
phishing, and proxy-avoidance-and-anonymizers.
For the URL categories dynamic-dns (these sites are often
used to deliver malware payloads or command-and-control traffic),
unknown (sites PAN-DB has not yet identified), parked (often used
for credential phishing), grayware (malicious or questionable),
and newly-registered-domain (often used for malicious activity),
it’s best to alert initially so you can monitor the URL Filtering
) in case legitimate
websites trigger alerts before you move to the best practice of blocking
Configure the security-focused high-risk
and medium-risk based URL categories to alert (this is the default
action). Monitor the URL Filtering logs to see if you want to allow
access to the sites these categories control, if you want to block
these categories completely, or if you want to allow access to some
sites and block the rest.
When you have the initial profiles in place, monitor the URL
Filtering logs for enough time to gain confidence you understand
whether any business-critical sites will be blocked if you transition
from alerting to blocking and to best practice URL Filtering
profiles. If you believe a given URL isn’t categorized correctly, request URL recategorization to
have the URL placed in the correct category.