Determine URL Filtering Policy Requirements

The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile that will alert on most categories. After setting the alert action, you can then monitor user web activity for a few days to determine patterns in web traffic. After doing so, you can then make decisions on the websites and website categories that should be controlled.
In the procedure that follows, threat‑prone sites will be set to block and the other categories will be set to alert, which will cause all websites traffic to be logged. This may potentially create a large amount of log files, so it is best to do this for initial monitoring purposes to determine the types of websites your users are accessing. After determining the categories that your company approves of, those categories should then be set to allow, which will not generate logs. You can also reduce URL filtering logs by enabling the
Log container page only
option in the URL Filtering profile, so only the main page that matches the category will be logged, not subsequent pages/categories that may be loaded within the container page.
If you subscribe to third-party URL feeds and want to secure your users from emerging threats, see Use an External Dynamic List in a URL Filtering Profile.
  1. Create a new URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select the default profile and then click
      Clone
      . The new profile will be named
      default-1
      .
    3. Select the
      default-1
      profile and rename it. For example, rename it to URL-Monitoring.
  2. Configure the action for all categories to
    alert
    , except for threat‑prone categories, which should remain blocked.
    To select all items in the category list from a Windows system, click the first category, then hold down the shift key and click the last category—this will select all categories. Hold the control key (ctrl) down and click items that should be deselected. On a Mac, do the same using the shift and command keys. You could also just set all categories to alert and manually change the recommended categories back to block.
    1. In the section that lists all URL categories, select all categories.
    2. To the right of the
      Action
      column heading, mouse over and select the down arrow and then select
      Set Selected Actions
      and choose
      alert
      .
      set-alert.png
    3. To ensure that you block access to threat-prone sites, select the following categories and then set the action to
      block
      : abused-drugs, adult, gambling, hacking, malware. phishing, questionable, weapons.
    4. Click
      OK
      to save the profile.
  3. Apply the URL Filtering profile to the security policy rule(s) that allows web traffic for users.
    1. Select
      Policies
      Security
      and select the appropriate security policy to modify it.
    2. Select the
      Actions
      tab and in the
      Profile Setting
      section, click the drop-down for
      URL Filtering
      and select the new profile.
    3. Click
      OK
      to save.
  4. Save the configuration.
    Click
    Commit
    .
  5. View the URL filtering logs to determine all of the website categories that your users are accessing. In this example, some categories are set to block, so those categories will also appear in the logs.
    For information on viewing the logs and generating reports, see Monitor Web Activity.
    Select
    Monitor
    Logs
    URL Filtering
    . A log entry will be created for any website that exists in the URL filtering database that is in a category that is set to any action other than
    allow
    .

Related Documentation