End-of-Life (EoL)

Control Access to Web Content

URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more (from approximately 60) categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to security policies to enforce a basic URL filtering policy.
  1. Confirm license information for URL Filtering.
    1. Obtain and install a URL Filtering license. See Activate Licenses and Subscriptions for details.
    2. Select
      Device
      Licenses
      and verify that the URL Filtering license is valid.
      url-filtering-pan-db1.png
  2. Download the seed database and activate the license.
    1. To download the seed database, click
      Download
      next to
      Download Status
      in the PAN-DB URL Filtering section of the Licenses page.
    2. Choose a region (North America, Europe, APAC, Japan) and then click
      OK
      to start the download.
    3. After the download completes, click
      Activate
      .
      url-filtering-pan-db2.png
  3. Create a URL filtering profile.
    Because the default URL filtering profile blocks risky and threat-prone content, clone this profile when creating a new profile in order to preserve the default settings.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select the default profile and then click
      Clone
      . The new profile will be named default-1.
    3. Select the new profile and rename it.
  4. Define how to control access to web content.
    If you are not sure what traffic you want to control, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. You can then go back and modify the profile to block and allow categories as desired.
    You can also define specific sites to always allow or always block regardless of category and enable the safe search option to filter search results when defining the URL Filtering profile.
    1. For each category that you want visibility into or control over, select a value from the
      Action
      column as follows:
      • If you do not care about traffic to a particular category (that is you neither want to block it nor log it), select
        allow
        .
      • For visibility into traffic to sites in a category, select
        alert
        .
      • To present a response page to users attempting to access a particular category to alert them to the fact that the content they are accessing might not be work appropriate, select
        continue
        .
      • To prevent access to traffic that matches the associated policy, select
        block
        (this also generates a log entry).
        url-filtering-pan-db3.png
    2. Click
      OK
      to save the URL filtering profile.
  5. Attach the URL filtering profile to a security policy.
    1. Select
      Policies
      Security
      .
    2. Select the desired policy to modify it and then click the
      Actions
      tab.
    3. If this is the first time you are defining a security profile, select
      Profiles
      from the
      Profile Type
      drop-down.
    4. In the
      Profile Settings
      list, select the profile you just created from the
      URL Filtering
      drop-down. (If you don’t see drop-downs for selecting profiles, select
      Profiles
      from the
      Profile Type
      drop-down.)
    5. Click
      OK
      to save the profile.
    6. Commit
      the configuration.
  6. Enable response pages in the management profile for each interface on which you are filtering web traffic.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      and then select an interface profile to edit or click
      Add
      to create a new profile.
    2. Select
      Response Pages
      , as well as any other management services required on the interface.
    3. Click
      OK
      to save the interface management profile.
    4. Select
      Network
      Interfaces
      and select the interface to which to attach the profile.
    5. On the
      Advanced
      Other Info
      tab, select the interface management profile you just created.
    6. Click
      OK
      to save the interface settings.
  7. Save the configuration.
    Click
    Commit
    .
  8. Test the URL filtering configuration.
    Access a client PC in the trust zone of the firewall and attempt to access a site in a blocked category. Make sure URL filtering is applied based on the action you defined in the URL filtering profile:
    • If you selected
      alert
      as the action, check the data filtering log to make sure you see a log entry for the request.
    • If you selected the
      continue
      action, the URL Filtering Continue and Override Page response page should display.
      Continue
      to the site.
    • If you selected
      block
      as the action, the URL Filtering and Category Match Block Page response page should display as follows:
    url-filtering-RespPg.png

Recommended For You