Network Security
Security Profile: URL Filtering
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Security Profile: URL Filtering
Use URL filtering profiles to not only control access to web content, but also to control
how users interact with web content.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
URL Filtering profiles let you monitor and
control how users access the web over HTTP and HTTPS by defining how your configuration
handles traffic to specific URL categories. A URL Filtering profile is a collection of
URL filtering controls that you can apply to individual Security rules that allow
access to the internet. You can set site access for URL categories, allow or disallow
user credential submissions, enable safe search enforcement, and various other settings.
To enforce the actions you define in a URL Filtering profile, you need to apply profiles
to Security rules. A default profile is configured to block websites such as
known malware sites, phishing sites, and adult content sites. You can use the default
profile in a Security policy, clone it to be used as a starting point for new URL
filtering profiles, or add a new URL profile that will have all categories set to allow
for visibility into the traffic on your network. You can then customize the newly added
URL profiles and add lists of specific websites that should always be blocked or
allowed, which provides more granular control over URL categories.
Configure URL Filtering
Cloud Managed
Follow these steps to configure URL Filtering profiles and settings that meet your
organization’s business and security needs.
After you plan your URL filtering deployment, you should have a basic understanding
of the types of websites your users are accessing. Use this information to create a
URL Filtering profile that defines how the firewall handles traffic to specific URL
categories. You can also restrict the sites to which users can submit corporate
credentials or enforce strict safe search. To activate these settings, apply the URL
Filtering profile to Security rules that allow web access.
Follow these steps to configure URL Filtering profiles and settings that meet your
organization’s business and security needs. See Advanced URL Filtering: Configure URL
Filtering for detailed steps.
- Go toManageConfigurationNGFW andPrisma AccessSecurity ServicesURL Access Management
- Review and customize General URL Filtering Settings.Automatically append end tokens to URLs in an EDL or a custom URL categoryIf you use URLs in custom URL categories or external dynamic lists (EDLs) and do not append an ending token, it is possible to allow more URLs than you intended. For example, entering example.com as a matching URL instead of example.com/ would also match example.com.website.info or example.com.br.Prisma Access can automatically set an ending token to URLs in EDLs or custom URL categories so that, if you enter example.com, Prisma Access treats it as it would treat example.com/ and only match that URL.Go toand enable the option toSettingsGeneral SettingsAppend End Token to Entries.
- Create a URL Access Management profile.
- Apply the URL Access Management profile to a Security rule.A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a URL Access Management profile (and any Security profile).
- SelectSaveandPush Config.
PAN-OS & Panorama
Follow these steps to configure URL Filtering profiles
and settings that meet your organization’s business and security
needs.
After you plan your URL filtering deployment, you should have a basic understanding
of the types of websites your users are accessing. Use this information to create a
URL Filtering profile that defines how the firewall handles traffic to specific URL
categories. You can also restrict the sites to which users can submit corporate
credentials or enforce strict safe search. To activate these settings, apply the URL
Filtering profile to Security rules that allow web access.
Follow these steps to configure URL Filtering profiles and settings that meet your
organization’s business and security needs. See Advanced URL Filtering: Configure URL
Filtering for detailed steps.
- Create a URL Filtering profile.If you didn’t already, configure a best practice URL Filtering profile to ensure protection against URLs hosting malware or exploitive content.SelectandObjectsSecurity ProfilesURL FilteringAddor modify a URL Filtering profile.
- Define site access for each URL category.SelectCategoriesand set the Site Access for each URL category.
- Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID™ associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
- Configure the URL Filtering profile to detect phishing and malicious JavaScript in real-time using local inline categorization.
- Allow or block users from submitting corporate credentials to sites based on URL category to prevent credential phishing.To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
- Define URL category exceptions to specify websites that should always be blocked or allowed, regardless of URL category.For example, to reduce URL filtering logs, you may want to add your corporate websites to the allow list so that no logs are generated for those sites or, if there is a website that is being overly used and is not work-related, you can add that site to the block list.The policy actions configured for custom URL categories have priority enforcement over matching URLs in external dynamic lists.Traffic to websites in the block list is always blocked regardless of the action for the associated category and traffic to URLs in the allow list is always allowed.For more information on the proper format and wildcard usage, review the URL Category Exception Guidelines.
- Enable Safe Search Enforcement.
- Log only the page a user visits for URL filtering events.
- Enable HTTP Header Logging for one or more of the supported HTTP header fields.
- Save the URL Filtering profile.
- Apply the URL Filtering profile to Security rules that allow traffic from clients in the trust zone to the internet.Make sure theSource Zonein the Security policy rules to which you add URL Filtering profiles is set to a protected internal network.
- Committhe configuration.
- Test your URL filtering configuration.
- (Best Practice) EnableHold client request for category lookupto block client requests while the firewall performs URL category lookups.
- Set the amount of time, in seconds, before a URL category lookup times out.