tab to define settings for URL filtering, data protection, and container pages.
Dynamic URL Cache Timeout
and enter the timeout (in hours). This value is used in dynamic URL filtering to determine the length of time an entry remains in the cache after it is returned from the URL filtering service. This option is applicable to URL filtering using the BrightCloud database only. For more on URL filtering, select
Objects > Security Profiles > URL Filtering.
URL Continue Timeout
Specify the interval in minutes following a user's continue action before the user must press continue again for URLs in the same category (range is 1–86,400; default is 15).
URL Admin Override Timeout
Specify the interval in minutes after the user enters the admin override password before the user must re-enter the admin override password for URLs in the same category (range is 1–86,400; default is 900).
URL Admin Lockout Timeout
Specify the period of time in minutes that a user is locked out from attempting to use the URL Admin Override password following three unsuccessful attempts (range is 1–86,400; default is 1,800).
Required for connecting to a private PAN-DB server
Specify the IPv4 address, IPv6 address, or FQDN for the private PAN-DB server(s) on your network. You can enter up to 20 entries.
The firewall connects to the public PAN-DB cloud, by default. The private PAN-DB solution is for enterprises that disallow the firewall(s) from directly accessing the PAN-DB servers in the public cloud. The firewalls access the servers included in this PAN-DB server(s) list for the URL database, URL updates, and URL lookups for categorizing web pages.
URL Admin Override
Settings for URL Admin Override
For each virtual system that you want to configure for URL admin override, click
and specify the
settings that apply when a URL filtering profile blocks a page and the
action is specified (for details, select
Objects > Security Profiles > URL Filtering):
—Select the virtual system from the drop-down (multi-vsys firewalls only).
—Enter the password that the user must enter to override the block page.
SSL/TLS Service Profile
—To specify a certificate and the allowed TLS protocol versions for securing communications when redirecting through the specified server, select an SSL/TLS Service profile. For details, see
Device > Certificate Management > SSL/TLS Service Profile.
—Determines whether the block page is delivered transparently (it appears to originate at the blocked website) or redirects the user to the specified server. If you choose
Redirect, enter the IP address for redirection.
to remove an entry.
Allow Forwarding of Decrypted Content
Select this option to allows the firewall to forward decrypted content to an outside service. When selected, this allows the firewall to forward decrypted content when port mirroring or sending WildFire files for analysis.
For a firewall with multiple virtual system capability, this option is enabled for each virtual system. To enable this setting for each virtual system, go to
Device > Virtual Systems.
Extended Packet Capture Length
Set the number of packets to capture when the extended-capture option is enabled in anti-spyware and vulnerability protection profiles (range is 1–50; default is 5).
Select this option to enable forwarding of UDP datagrams and skip content inspection when the UDP content inspection queue is full. The firewall can queue up to 64 datagrams while waiting a response from the content engine. When the firewall forwards a datagram and skips content inspection due to a UDP content inspection queue overflow, it increments the
Disable this option to prevent the firewall from forwarding datagrams and skipping content inspection when the UDP content inspection queue is full. With this option disabled, the firewall drops any datagrams that exceed the queue limit and increments the
This pair of global counters applies to both TCP and UDP packets.
This option is enabled by default. Palo Alto Networks recommends that you disable this option for maximum security. Enabling this option should not result in performance degradation. Some applications may incur loss of functionality in high-volume traffic situations.
Select this option to forward segments and classify the application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use the
global counter to view the number of segments in excess of this queue regardless of whether you enabled or disabled this option.
Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID inspection when the App-ID inspection queue is full.
This option is enabled by default. Palo Alto Networks recommends that you disable this option for maximum security. Disabling this option may result in increased latency on streams where more than 64 segments were queued awaiting App-ID processing.
Select this option to enable forwarding of TCP segments and skip content inspection when the TCP content inspection queue is full. The firewall can queue up to 64 segments while waiting for the content engine. When the firewall forwards a segment and skips content inspection due to a full content inspection queue, it increments the
Disable this option to prevent the firewall from forwarding TCP segments and skipping content inspection when the content inspection queue is full. With this option disabled, the firewall drops any segments that exceed the queue limit and increments the
This pair of global counters applies to both TCP and UDP packets.
This option is enabled by default. Palo Alto Networks recommends that you disable this option for maximum security. Disabling this option may result in increased latency on streams where more than 64 segments were queued awaiting content processing.
Allow HTTP Header Range Option
Select this option to enable the HTTP Range option. The HTTP Range option allows a client to fetch only part of a file. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with an RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session, while at the same time allowing the web browser to reassemble the file and deliver the malicious content. To prevent this, make sure this option is disabled.
By default, the firewall allows the HTTP Range option. Palo Alto Networks recommends that you disable this option to block the HTTP Range option. Disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired.
Use X-Forwarded-For Header in User-ID
Select this option to specify that User-ID reads IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when the firewall is deployed between the Internet and a proxy server that would otherwise hide client IP addresses. User-ID matches the IP addresses it reads with usernames that your policies reference so that those policies can control and log access for the associated users and groups. If the header has multiple IP addresses, User-ID uses the first entry from the left.
In come cases, the header value is a character string instead of an IP address. If the string matches a username that User-ID has mapped to an IP address, the firewall uses that username for group mapping references in policies. If no IP address mapping exists for the string, the firewall invokes the policy rules in which the source user is set to
URL logs display the matched usernames in the Source User field. If User-ID cannot perform the matching or is not enabled for the zone associated with the IP address, the Source User field displays the XFF IP address with the prefix x-fwd-for.
Select this option to remove the X-Forwarded-For (XFF) header, which contains the IP address of a client requesting a web service when the firewall is deployed between the Internet and a proxy server. The firewall zeroes out the header value before forwarding the request—the forwarded packets don’t contain internal source IP information.
Selecting this option doesn’t disable the use of XFF headers for user attribution in policies; the firewall zeroes out the XFF value only after using it for user attribution.
Manage Data Protection
Add additional protection for access to logs that may contain sensitive information, such as credit card numbers or social security numbers.
Manage Data Protection
and configure the following:
To set a new password if one has not already been set, click
Set Password. Enter and confirm the password.
To change the password, click
Change Password. Enter the old password, and enter and confirm the new password.
To delete the password and the data that has been protected, click
Use these settings to specify the types of URLs that the firewall will track or log based on content type, such as application/pdf, application/soap+xml, application/xhtml+, text/html, text/plain, and text/xml. Container pages are set per virtual system, which you select from the
drop-down. If a virtual system does not have an explicit container page defined, the default content types are used.
and enter or select a content type.
Adding new content types for a virtual system overrides the default list of content types. If there are no content types associated with a virtual system, the default list of content types is used.