You can also use URL categories as match criteria in the following policy types: Captive Portal, Decryption, Security, and QoS. In this use case, Decryption policy rules match on URL categories to control which web categories to decrypt or not decrypt. The first rule is a no-decrypt rule instructing the firewall not to decrypt outbound user traffic to financial-services or health-and-medicine sites and the second rule instructs the firewall to decrypt all other traffic.
Configure a Decryption Policy Based on URL Category
Create the no-decrypt rule that will be listed first in the decryption policies list. This will prevent any website that is in the financial-services or health-and-medicine URL categories from being decrypted. Select Policies > Decryption and click Add. Enter a Name and optionally enter a Description and Tag (s). On the Source tab, add the zone where the users are connected. On the Destination tab, enter the zone that is connected to the Internet. On the URL Category tab, click Add and select the financial-services and health-and-medicine URL categories. On the Options tab, set the action to No Decrypt. ( Optional ) Although the firewall does not decrypt and inspect the traffic for the session, you can attach a Decryption profile if you want to enforce the server certificates used during the session. The decryption profile allows you to configure the firewall to terminate the SSL connection either when the server certificates are expired or when the server certificates are issues by an untrusted issuer.
Click OK to save the policy rule.
Create the decryption policy rule that will decrypt all other traffic. Select the no-decrypt policy you created previously and then click Clone. Enter a Name and optionally enter a Description and Tag (s). On the URL Category tab, select financial-services and health-and-medicine and then click the Delete icon. On the Options tab, set the action to Decrypt and the Type to SSL Forward Proxy. (Optional) Attach a Decryption profile to specify the server certificate verification, unsupported mode checks and failure checks for the SSL traffic. See Configure SSL Forward Proxy for more details.
Ensure that this new decryption rule is listed after the no-decrypt rule to ensure that rule processing occurs in the correct order, so websites in the financial-services and health-and-medicine are not decrypted Click OK to save the policy rule.
(BrightCloud only) Enable cloud lookups for dynamically categorizing a URL when the category is not available on the local database on the firewall. Access the CLI on the firewall. Enter the following commands to enable Dynamic URL Filtering: configure set deviceconfig setting url dynamic-url yes commit
Save the configuration. Click Commit.
With these two decrypt policies in place, any traffic destined for the financial-services or health-and-medicine URL categories will not be decrypted. All other traffic will be decrypted.
Now that you have a basic understanding of the powerful features of URL filtering, App-ID, and User-ID, you can apply similar policies to your firewall to control any application in the Palo Alto Networks App-ID signature database and control any website contained in the URL filtering database.
For help in troubleshooting URL filtering issues, see Troubleshoot URL Filtering.

Related Documentation