Determine URL Filtering Policy Requirements

The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile that will alert on most categories. After setting the alert action, you can then monitor user web activity for a few days to determine patterns in web traffic. After doing so, you can then make decisions on the websites and website categories that should be controlled.
In the procedure that follows, threat‑prone sites will be set to block and the other categories will be set to alert, which will cause all websites traffic to be logged. This may potentially create a large amount of log files, so it is best to do this for initial monitoring purposes to determine the types of websites your users are accessing. After determining the categories that your company approves of, those categories should then be set to allow, which will not generate logs. You can also reduce URL filtering logs by enabling the Log container page only option in the URL Filtering profile, so only the main page that matches the category will be logged, not subsequent pages/categories that may be loaded within the container page.
If you subscribe to third-party URL feeds and want to secure your users from emerging threats, see Use an External Dynamic List in a URL Filtering Profile.
  1. Create a new URL Filtering profile.
    1. Select ObjectsSecurity ProfilesURL Filtering.
    2. Select the default profile and then click Clone. The new profile will be named default-1.
    3. Select the default-1 profile and rename it. For example, rename it to URL-Monitoring.
  2. Configure the action for all categories to alert, except for threat‑prone categories, which should remain blocked.
    To select all items in the category list from a Windows system, click the first category, then hold down the shift key and click the last category—this will select all categories. Hold the control key (ctrl) down and click items that should be deselected. On a Mac, do the same using the shift and command keys. You could also just set all categories to alert and manually change the recommended categories back to block.
    1. In the section that lists all URL categories, select all categories.
    2. To the right of the Action column heading, mouse over and select the down arrow and then select Set Selected Actions and choose alert.
    3. To ensure that you block access to threat-prone sites, select the following categories and then set the action to block: abused-drugs, adult, gambling, hacking, malware. phishing, questionable, weapons.
    4. Click OK to save the profile.
  3. Apply the URL Filtering profile to the security policy rule(s) that allows web traffic for users.
    1. Select PoliciesSecurity and select the appropriate security policy to modify it.
    2. Select the Actions tab and in the Profile Setting section, click the drop-down for URL Filtering and select the new profile.
    3. Click OK to save.
  4. Save the configuration.
    Click Commit.
  5. View the URL filtering logs to determine all of the website categories that your users are accessing. In this example, some categories are set to block, so those categories will also appear in the logs.
    For information on viewing the logs and generating reports, see Monitor Web Activity.
    Select MonitorLogsURL Filtering. A log entry will be created for any website that exists in the URL filtering database that is in a category that is set to any action other than allow.

Related Documentation