: Transition URL Filtering Profiles Safely to Best Practices
Focus
Focus

Transition URL Filtering Profiles Safely to Best Practices

Table of Contents

Transition URL Filtering Profiles Safely to Best Practices

Apply URL Filtering profiles to allow rules to protect against risky websites and content without risking application availability.
The following guidance helps determine whether to start with block or alert actions as you define the initial URL Filtering profiles and begin the transition to best practice profiles. Apply URL Filtering files to internet traffic (do not apply URL Filtering profiles to internal traffic).
You must enable decryption to take advantage of URL Filtering because you must decrypt traffic to reveal the exact URL so the firewall can take the appropriate action. At the least, decrypt high- and medium-risk traffic.
Advanced URL Filtering requires a subscription.
  • The predefined URL categories are accurate, so it’s safe to implement URL Filtering profiles with category actions configured according to your company policy for allowing or denying access to different types of websites.
  • Block Site Access and User Credential Submission from the start for known-bad URL categories, including: malware, command-and-control, copyright-infringement, extremism, phishing, ransomware, dynamic-dns, hacking (but make exceptions for internal PEN testers), and proxy-avoidance-and-anonymizers.
  • For the URL categories unknown (sites PAN-DB has not yet identified), parked (often used for credential phishing), grayware (malicious or questionable), and newly-registered-domain (often used for malicious activity), alert initially so you can monitor the URL Filtering logs (MonitorLogsURL Filtering) in case legitimate websites trigger alerts before you move to the best practice of blocking these categories.
  • Set all other URL categories to alert to generate logs for the traffic. The firewall doesn't log traffic when access is set to allow. Monitor the URL Filtering logs to see if you want to block any other categories.
    You can combine the high-risk, medium-risk, and low-risk categories with other categories to determine what traffic to allow, block, and decrypt. For example, you could block access to all websites that are both high-risk and financial-services. Or if your firewall needs to conserve resources, you could decrypt all high-risk and medium-risk traffic for some categories and not decrypt low-risk traffic for those categories.
When you have the initial profiles in place, monitor the URL Filtering logs for enough time to gain confidence that you understand whether any business-critical sites will be blocked if you transition from alerting to blocking and to best practices URL Filtering profiles. If you believe a given URL isn’t categorized correctly, request URL recategorization to have the URL placed in the correct category. The speed of your transition to best practices profiles depends on your business, applications, and comfort level.