URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more (from approximately 60) categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to security policies to enforce a basic URL filtering policy.
Download the seed database and activate the license.
To download the seed database, click
in the PAN-DB URL Filtering section of the Licenses page.
Choose a region (North America, Europe, APAC, Japan) and then click
to start the download.
After the download completes, click
Create a URL filtering profile.
Because the default URL filtering profile blocks risky and threat-prone content, clone this profile when creating a new profile in order to preserve the default settings.
Objects > Security Profiles > URL Filtering.
Select the default profile and then click
Clone. The new profile will be named default-1.
Select the new profile and rename it.
Define how to control access to web content.
If you are not sure what traffic you want to control, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. You can then go back and modify the profile to block and allow categories as desired.
You can also define specific sites to always allow or always block regardless of category and enable the safe search option to filter search results when defining the
URL Filtering profile.
For each category that you want visibility into or control over, select a value from the
column as follows:
If you do not care about traffic to a particular category (that is you neither want to block it nor log it), select
For visibility into traffic to sites in a category, select
To present a response page to users attempting to access a particular category to alert them to the fact that the content they are accessing might not be work appropriate, select
To prevent access to traffic that matches the associated policy, select
(this also generates a log entry).
to save the URL filtering profile.
Attach the URL filtering profile to a security policy.
Policies > Security.
Select the desired policy to modify it and then click the
If this is the first time you are defining a security profile, select
list, select the profile you just created from the
drop-down. (If you don’t see drop-downs for selecting profiles, select
to save the profile.
Network > Network Profiles > Interface Mgmt
and then select an interface profile to edit or click
to create a new profile.
Response Pages, as well as any other management services required on the interface.
to save the interface management profile.
Network > Interfaces
and select the interface to which to attach the profile.
Advanced > Other Info
tab, select the interface management profile you just created.
to save the interface settings.
Save the configuration.
Test the URL filtering configuration.
Access a client PC in the trust zone of the firewall and attempt to access a site in a blocked category. Make sure URL filtering is applied based on the action you defined in the URL filtering profile:
If you selected
as the action, check the data filtering log to make sure you see a log entry for the request.
If you selected the
action, the URL Filtering Continue and Override Page response page should display.
to the site.
If you selected
as the action, the URL Filtering and Category Match Block Page response page should display as follows: