Gain visibility into web activity on your network to
inform your URL filtering policy requirements.
To first deploy URL filtering in your network,
we recommend that you start with a basic setup that’ll give you
visibility into web activity patterns while blocking confirmed malicious
content:
Start with a (mostly)
passive URL Filtering profile that alerts on most categories. This
gives you visibility into the sites your users are accessing, so
you can decide what you want allow, limit, and block.
Block URL categories that we know are bad: malware, C2, and phishing.
Because
alerting on all web activity might create a large amount of log files,
you might decide you only want to do this as you’re initially deploying
URL Filtering.
At that time, you can also
reduce URL filtering logs by enabling the
Log container
page only
option in the URL Filtering profile so only
the main page that matches the category will be logged, not subsequent
pages/categories that may be loaded within the container page.
At
any time, you can use Test A Site to see how
PAN-DB—the URL Filtering cloud database—categorizes a specific URL,
and to learn about all possible URL categories.
You can also use Test A Site to submit a change request,
if you disagree with how a specific URL is categorized.
Create a passive URL Filtering profile, that alerts on
all categories so you have visibility into web traffic.
Select
Objects
Security Profiles
>
URL Filtering
.
Select the default profile and then click
Clone
.
The new profile will be named
default-1
.
Select the
default-1
profile
and rename it. For example, rename it to URL-Monitoring.
Configure the action for all categories to
alert
,
except for malware, command-and-control, and phishing, which should
remain blocked.
In the section that lists all URL categories, select
all categories and then de-select malware, command-and-control,
and phishing.
To the right of the Action column heading, mouse
over and select the down arrow and then select
Set Selected
Actions
and choose
alert
.
Block
access to known dangerous URL
categories.
Block access to malware, phishing,
dynamic-dns, unknown, command-and-control, extremism, copyright-infringement, proxy-avoidance-and-anonymizers,
newly-registered-domain, grayware, and parked URL categories.
Click
OK
to save the profile.
Apply the URL Filtering profile to the Security policy
rule(s) that allows web traffic for users.
Select
Policies
Security
and select the appropriate
Security policy to modify it.
Select the
Actions
tab and
in the
Profile Setting
section, click the
drop-down for
URL Filtering
and select the
new profile.
Click
OK
to save.
Save the configuration.
Click
Commit
.
View the URL filtering logs to see all of the website
categories that your users are accessing. The categories you’ve
set to block are also logged.
For information on viewing the logs and generating reports,
see Monitor
Web Activity.
Select
Monitor
Logs
URL Filtering
.
A log entry will be created for any website that exists in the URL
filtering database that is in a category set to any action other
than
allow
. URL Filtering reports give you
a view of web activity in a 24-hour period. (
Monitor
Reports
).
Next Steps:
PAN-DB categorizes every URL with up to four categories,
and every URL has a risk category (high, medium, and low). While high
and medium-risk sites are not confirmed malicious, they are closely associated
with malicious sites. For example, they might be on the same domain
as malicious sites or maybe they hosted malicious content until
only very recently. For everything that you do not allow or block,
you can use risk categories
to write simple policy based on website safety.
You
can take precautionary measures to limit your users’ interaction high-risk
sites especially, as there might be some cases where you want to give
your users access to sites that might also present safety concerns
(for example, you might want to allow your developers to use developer
blogs for research, yet blogs are a category known to commonly host malware).
Pair URL Filtering with User-ID to control web access
based on organization or department and to block corporate credential submissions
to unsanctioned sites:
URL Filtering prevents credential theft by
detecting corporate credential submissions to sites based on the
site category. Block users from submitting credentials to malicious
and untrusted sites, warn users against entering corporate credentials
on unknown sites or reusing corporate credentials on non-corporate
sites, and explicitly allow users to submit credentials to corporate
sites.
Add or update a Security policy rule with the passive URL Filtering
profile so that it applies to a department user group, for example,
Marketing or Engineering (
Policies
Security
User
).
Monitor the department activity, and get feedback from department
members to understand the web resources that are essential to the
work they do.
Consider all the ways you can use URL
Filtering to reduce your attack surface and to control web
usage. For example, if you’re a school, you can use URL Filtering
to enforce strict safe search settings, where search engines filter
out adult images and videos from search results. Or, if you have
a security operations center, you might give threat analysts password
access to compromised or dangerous sites for research, that you might
not want to otherwise open up to entire organizations or teams.