URL Filtering Best Practices
Focus
Focus
Advanced URL Filtering

URL Filtering Best Practices

Table of Contents

URL Filtering Best Practices

Best practices for configuring URL filtering to protect against web-based threats and monitor and control the web activity of your users.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
Palo Alto Networks URL filtering solution protects you from web-based threats, and gives you a simple way to monitor and control web activity. To get the most out of your URL filtering deployment, you should start by creating allow rules for the applications you rely on to do business. Then, review the URL categories that classify malicious and exploitive content—we recommend that you block these outright. Then, for everything else, these best practices can guide you how to reduce your exposure to web-based threats, without limiting your users’ access to web content that they need.
  • Before you get started, identify the applications you want to allow and create application allow rules as part of building a best practice internet gateway security policy.
    Allowed applications include not only the applications you provision and administer for business and infrastructure purposes, but also the applications that your users need to get their jobs done and applications you might want to allow for personal use.
    After you’ve identified these sanctioned applications, you can use URL filtering to control and secure all the web activity that is not on the allow list.
  • Get visibility in to your users web activity so you can plan the most effective URL filtering policy for your organization. This includes:
    • Using Test A Site to see how PAN-DB—the Palo Alto Networks URL filtering cloud database—categorizes a specific URL, and to learn about all possible URL categories.
    • Starting with a (mostly) passive URL Filtering profile that alerts on URL categories. This gives you visibility into the sites your users are accessing, so you can decide what you want to allow, limit, and block.
    • Monitoring web activity to assess the sites your users are accessing and see how they align with your business needs.
  • Block URL categories that classify malicious and exploitive web content. While we know that these categories are dangerous, always keep in mind that the URL categories that you decide to block might depend on your business needs.
  • Use URL categories to phase-in decryption, and to exclude sensitive or personal information (like financial-services and health-and-medicine) from decryption.
    Plan to decrypt the riskiest traffic first (URL categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. In both cases, decrypt a few URL categories, listen to user feedback, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL categories, and so on. Plan to make to exclude sites from decryption if you can’t decrypt them for technical reasons or because you choose not to decrypt them.
    Targeting decryption based on URL categories is also a Decryption best practice.
  • Prevent credential theft by enabling the firewall to detect corporate credential submissions to sites, and then control those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate and sanctioned sites.
  • Block malicious variants of JavaScript exploits and phishing attacks in real-time. Enabling local inline categorization allows you to dynamically analyze web pages using machine learning on the firewall.
  • Configure inline categorization to enable inline deep learning, ML-based detection engines to analyze suspicious web page content and protect users against zero-day web attacks. Cloud inline categorization is capable of detecting and preventing advanced and targeted phishing attacks, and other web-based attacks that use advanced evasion techniques such as cloaking, multi-step attacks, CAPTCHA challenges, and previously unseen one-time-use URLs.
  • Decrypt, inspect, and strictly limit how users interact with high-risk and medium-risk content (if you decided not to block any of the malicious URL categories for business reasons, you should strictly limit how users interact with those categories).
    The web content that you sanction and the malicious URL categories that you block outright are just one portion of your overall web traffic. The rest of the content your users are accessing is a combination of benign (low-risk) and risky content (high-risk and medium-risk). High-risk and medium-risk content is not confirmed malicious but is closely associated with malicious sites. For example, a high-risk URL might be on the same domain as a malicious site or may have hosted malicious content in the past.
    However, many sites that pose a risk to your organization also provide valuable resources and services to your users (cloud storage services are a good example). While these resources and services are necessary for business, they are also more likely to be used as part of a cyberattack. Here’s how to control how users interact with this potentially-dangerous content, while still providing them a good user experience:
    • In a URL Filtering profile, set the high-risk and medium-risk categories to
      continue
      to display a response page that warns users they’re visiting a potentially-dangerous site. Advise them how to take precautions if they decide to continue to the site. If you don’t want to prompt users with a response page, alert on the high-risk and medium-risk categories instead.
    • Decrypt high-risk and medium-risk sites.
    • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices for high-risk and medium-risk sites. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript.
    • Stop credential theft by blocking users from submitting their corporate credentials to high-risk and medium-risk sites.
  • Schools or educational institutions should use safe search enforcement to make sure that search engines filter out adult images and videos from search results.
  • Hold initial web requests during URL category lookup.
    When a user visits a website,
    Advanced URL Filtering
    checks cached URL categories to categorize the site. If it doesn’t find the URL’s category in the cache, it performs a lookup in PAN-DB, the Palo Alto Networks URL database. By default, the user’s web request is allowed during this cloud lookup.
    But when you choose to hold web requests, you can instead block the request until
    Advanced URL Filtering
    either finds the URL category or times out. If the lookup times out, the firewall considers the URL category not-resolved. Find this feature in your URL Filtering settings,
    Hold client request for category lookup
    .

Recommended For You