Network Security
Configure URL Filtering (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Configure URL Filtering (PAN-OS & Panorama)
Follow these steps to configure URL Filtering profiles
and settings that meet your organization’s business and security
needs.
After you plan your URL filtering deployment, you should have a basic understanding
of the types of websites your users are accessing. Use this information to create a
URL Filtering profile that defines how the firewall handles traffic to specific URL
categories. You can also restrict the sites to which users can submit corporate
credentials or enforce strict safe search. To activate these settings, apply the URL
Filtering profile to Security rules that allow web access.
Follow these steps to configure URL Filtering profiles and settings that meet your
organization’s business and security needs. See Advanced URL Filtering: Configure URL
Filtering for detailed steps.
- Create a URL Filtering profile.If you didn’t already, configure a best practice URL Filtering profile to ensure protection against URLs hosting malware or exploitive content.Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.Define site access for each URL category.Select Categories and set the Site Access for each URL category.Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID™ associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.Configure the URL Filtering profile to detect phishing and malicious JavaScript in real-time using local inline categorization.Allow or block users from submitting corporate credentials to sites based on URL category to prevent credential phishing.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.Define URL category exceptions to specify websites that should always be blocked or allowed, regardless of URL category.For example, to reduce URL filtering logs, you may want to add your corporate websites to the allow list so that no logs are generated for those sites or, if there is a website that is being overly used and is not work-related, you can add that site to the block list.The policy actions configured for custom URL categories have priority enforcement over matching URLs in external dynamic lists.Traffic to websites in the block list is always blocked regardless of the action for the associated category and traffic to URLs in the allow list is always allowed.For more information on the proper format and wildcard usage, review the URL Category Exception Guidelines.Enable Safe Search Enforcement.Log only the page a user visits for URL filtering events.Enable HTTP Header Logging for one or more of the supported HTTP header fields.Save the URL Filtering profile.Apply the URL Filtering profile to Security rules that allow traffic from clients in the trust zone to the internet.Make sure the Source Zone in the Security policy rules to which you add URL Filtering profiles is set to a protected internal network.Commit the configuration.Test your URL filtering configuration.(Best Practice) Enable Hold client request for category lookup to block client requests while the firewall performs URL category lookups.Set the amount of time, in seconds, before a URL category lookup times out.