Control Access to Web Content
URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more URL categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. Together with User-ID, you can also use URL Filtering to Prevent Credential Phishing based on URL category.
The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to Security policy rules to enforce a basic URL filtering policy.
- Confirm that you have a URL Filtering license.
- Obtain and install a URL Filtering license. See Activate Licenses and Subscriptions for details.
- Select DeviceLicenses and verify that the URL Filtering license is valid.
- Download the seed database and activate the license.
- To download the seed database, click Download next to Download Status in the PAN-DB URL Filtering section of the Licenses page.
- Choose a region (APAC, Europe, Japan, Latin-America, North-America, or Russia) and then click OK to start the download.
- After the download completes, click Activate. The Active field now shows that PAN-DB is now active.
URL Filtering.Configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
- Select Categories to allow, alert, continue, or block access to. If you are not sure what sites or categories you want to control access to, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. See URL Filtering Profile Actions for details on the site access settings you can enforce for each URL category.
- Select Categories to Prevent Credential Phishing based on URL category.
- Select Overrides to Allow Password Access to Certain Sites.
- Enable Safe Search Enforcement to ensure that user search results are based on search engine safe search settings.
- Attach the URL filtering profile to a Security policy
- Select PoliciesSecurity.
- Select a Security policy rule that allows web access to edit it and select the Actions tab.
- In the Profile Settings list, select the URL Filtering profile you just created. (If you don’t see drop-downs for selecting profiles, set the Profile Type to Profiles.)
- Click OK to save the profile.
- Enable response pages in the management profile for
each interface on which you are filtering web traffic.
- Select NetworkNetwork ProfilesInterface Mgmt and then select an interface profile to edit or click Add to create a new profile.
- Select Response Pages, as well as any other management services required on the interface.
- Click OK to save the interface management profile.
- Select NetworkInterfaces and select the interface to which to attach the profile.
- On the AdvancedOther Info tab, select the interface management profile you just created.
- Click OK to save the interface settings.
- Commit your changes.Commit the configuration.
- Test the URL filtering configuration.From an endpoint in a trusted zone, attempt to access sites in various categories and make sure you see the expected result based on the corresponding Site Access setting you selected:
- If you set Site Access to alert for the category, check the URL Filtering log to make sure you see a log entry for the request.
- If you set Site Access to continue for the category, verify that the URL Filtering Continue and Override Page response page displays. Continue to the site.
- If you set Site Access to block for the category, verify that the URL Filtering and Category Match Block Page response page displays:
URL Filtering Categories
URL Filtering Categories Objects > Security Profiles > URL Filtering > Categories The following table describes URL filtering category settings. Categories Settings Description Category In ...
Block Search Results when Strict Safe Search is not Enabled
Block Search Results when Strict Safe Search is not Enabled By default, when you enable safe search enforcement, when a user attempts to perform a ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
Transparently Enable Safe Search for Users
Transparently Enable Safe Search for Users If you want to enforce filtering of search query results with the strictest safe search filters, but you don’t ...
URL Filtering Response Pages
URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...
URL Filtering The Palo Alto Networks URL filtering solution allows you to monitor and control the sites users can access, to prevent phishing attacks by ...
Allow Password Access to Certain Sites
Allow Password Access to Certain Sites In some cases there may be URL categories that you want to block, but allow certain individuals to browse ...
Objects > Security Profiles > URL Filtering
Objects > Security Profiles > URL Filtering You can use URL filtering profiles to control access to web content. What are you looking for? See: ...
URL Categories Each website defined in the URL filtering database is assigned a URL category. Here are a few ways to leverage URL categories: Block ...