URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more (from approximately 60) categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to security policies to enforce a basic URL filtering policy.
Configure URL Filtering
Confirm license information for URL Filtering. Obtain and install a URL Filtering license. See Activate Licenses and Subscriptions for details. Select Device > Licenses and verify that the URL Filtering license is valid.
Download the seed database and activate the license. To download the seed database, click Download next to Download Status in the PAN-DB URL Filtering section of the Licenses page. Choose a region (North America, Europe, APAC, Japan) and then click OK to start the download. After the download completes, click Activate.
Create a URL filtering profile. Because the default URL filtering profile blocks risky and threat-prone content, clone this profile when creating a new profile in order to preserve the default settings. Select Objects > Security Profiles > URL Filtering. Select the default profile and then click Clone. The new profile will be named default-1. Select the new profile and rename it.
Define how to control access to web content. If you are not sure what traffic you want to control, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. You can then go back and modify the profile to block and allow categories as desired. You can also define specific sites to always allow or always block regardless of category and enable the safe search option to filter search results when defining the URL Filtering profile. For each category that you want visibility into or control over, select a value from the Action column as follows: If you do not care about traffic to a particular category (that is you neither want to block it nor log it), select allow. For visibility into traffic to sites in a category, select alert. To present a response page to users attempting to access a particular category to alert them to the fact that the content they are accessing might not be work appropriate, select continue. To prevent access to traffic that matches the associated policy, select block (this also generates a log entry).
Click OK to save the URL filtering profile.
Attach the URL filtering profile to a security policy. Select Policies > Security. Select the desired policy to modify it and then click the Actions tab. If this is the first time you are defining a security profile, select Profiles from the Profile Type drop-down. In the Profile Settings list, select the profile you just created from the URL Filtering drop-down. (If you don’t see drop-downs for selecting profiles, select Profiles from the Profile Type drop-down.) Click OK to save the profile. Commit the configuration.
Enable response pages in the management profile for each interface on which you are filtering web traffic. Select Network > Network Profiles > Interface Mgmt and then select an interface profile to edit or click Add to create a new profile. Select Response Pages, as well as any other management services required on the interface. Click OK to save the interface management profile. Select Network > Interfaces and select the interface to which to attach the profile. On the Advanced > Other Info tab, select the interface management profile you just created. Click OK to save the interface settings.
Save the configuration. Click Commit.
Test the URL filtering configuration. Access a client PC in the trust zone of the firewall and attempt to access a site in a blocked category. Make sure URL filtering is applied based on the action you defined in the URL filtering profile: If you selected alert as the action, check the data filtering log to make sure you see a log entry for the request. If you selected the continue action, the URL Filtering Continue and Override Page response page should display. Continue to the site. If you selected block as the action, the URL Filtering and Category Match Block Page response page should display as follows:

Related Documentation