URL Filtering Best Practices

• Before you get started, identify the applications you want to allow and create application allow rules as part of building a best practice internet gateway security policy.
  Allowed applications include not only the applications you provision and administer for business and infrastructure purposes, but also the applications that your users need to get their jobs done and applications you might want to allow for personal use.
  After you’ve identified these sanctioned applications, you can use URL filtering to control and secure all the web activity that is not on the allow list.
• Get visibility in to your users web activity so you can plan the most effective URL filtering policy for your organization, and roll it out smoothly. This includes:
  • Using Test A Site to see how PAN-DB—the Palo Alto Networks URL filtering cloud database—categorizes a specific URL, and to learn about all possible URL categories.
  • Starting with a (mostly) passive URL filtering profile that alerts on URL categories. This gives you visibility into the sites your users are accessing, so you can decide what you want to allow, limit, and block.
  • Monitoring web activity to assess the sites your users are accessing and see how they align with your business needs.
• Block URL categories that classify malicious and exploitive web content. While we know that these categories are dangerous, always keep in mind that the URL categories that you decide to block might depend on your business needs.
• Use URL categories to phase-in decryption, and to exclude sensitive or personal information (like financial-services and health-and-medicine) from decryption.
  Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL Categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. In both cases, decrypt a few URL Categories, listen to user feedback, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL Categories, and so on. Plan to make decryption exclusions to exclude sites from decryption if you can’t decrypt them for technical reasons or because you choose not to decrypt them.
  Targeting decryption based on URL categories is also a Decryption best practice.
• Prevent credential theft by enabling the firewall to detect corporate credential submissions to sites, and then control those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate and sanctioned sites.
• Block malicious variants of JavaScript exploits and phishing attacks in real-time. Enabling URL Filtering Inline ML allows you to dynamically analyze web pages using machine learning on the firewall.
• Decrypt, inspect, and strictly limit how users interact with high-risk and medium-risk content (if you decided not to block any of the Malicious URL Categories for business reasons, you should also strictly limit how users interact with those categories).
  The web content that you sanction and the malicious URL categories that you block outright are just one portion of your overall web traffic. The rest of the content your users are accessing is a combination of benign (low-risk) and risky content (high-risk and medium-risk). High-risk and medium-risk content is not confirmed malicious but is closely associated with malicious sites. For example, a high-risk URL might be on the same domain as a malicious site, or maybe it hosted malicious content in the past.
  However, many sites that pose a risk to your organization also provide valuable resources and services to your users (cloud storage services are a good example). While these resources and services are necessary for business, they are also more likely to be used as part of a cyberattack. Here’s how to control how users interact with this potentially-dangerous content, while still providing them a good user experience:
  • In a URL Filtering profile, set the high-risk and medium-risk categories to continue to display a response page that warns users they’re visiting a potentially-dangerous site. Advise them how to take precautions if they decide to continue to the site. If you don’t want to prompt users with a response page, alert on the high-risk and medium-risk categories instead.
  • Decrypt decrypt high-risk and medium-risk sites.
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices for high-risk and medium-risk sites. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript.
  • Stop credential theft by blocking users from submitting their corporate credentials to high-risk and medium-risk sites.
• Schools or educational institutions should use safe search enforcement to make sure that search engines filter out adult images and videos from search results. You can even transparently enable safe search for users.
• Enable the firewall to hold an initial web request as it looks up a website’s URL category with PAN-DB.
  When a user visits a website, a firewall with Advanced URL Filtering (or legacy URL Filtering) enabled checks its local cache of URL categories to categorize the site. If the firewall doesn’t find the URL’s category in the cache, it performs a lookup in PAN-DB, the Palo Alto Networks URL database. By default, the firewall allows the user’s web request during this cloud lookup and enforces policy when the server responds.
  But when you choose to hold web requests, the firewall blocks the request until it either finds the URL category or times out. If the lookup times out, the firewall considers the URL category not-resolved.
  1. In DeviceSetupContent-ID, check the box for
     Hold client request for category lookup.