Control Access to Web Content

URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more URL categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. Together with User-ID, you can also use URL Filtering to Prevent Credential Phishing based on URL category.
The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to Security policy rules to enforce a basic URL filtering policy.
  1. Confirm that you have a URL Filtering license.
    1. Obtain and install a URL Filtering license. See Activate Licenses and Subscriptions for details.
    2. Select DeviceLicenses and verify that the URL Filtering license is valid.
      url-filtering-pan-db1.png
  2. Download the seed database and activate the license.
    1. To download the seed database, click Download next to Download Status in the PAN-DB URL Filtering section of the Licenses page.
    2. Choose a region (APAC, Europe, Japan, Latin-America, North-America, or Russia) and then click OK to start the download.
    3. After the download completes, click Activate. The Active field now shows that PAN-DB is now active.
      url-filtering-pan-db2.png
  3. Configure URL Filtering.
    Configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.
    Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
    • Select Categories to allow, alert, continue, or block access to. If you are not sure what sites or categories you want to control access to, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. See URL Filtering Profile Actions for details on the site access settings you can enforce for each URL category.
    • Select Categories to Prevent Credential Phishing based on URL category.
    • Select Overrides to Allow Password Access to Certain Sites.
    • Enable Safe Search Enforcement to ensure that user search results are based on search engine safe search settings.
  4. Attach the URL filtering profile to a Security policy rule.
    1. Select PoliciesSecurity.
    2. Select a Security policy rule that allows web access to edit it and select the Actions tab.
    3. In the Profile Settings list, select the URL Filtering profile you just created. (If you don’t see drop-downs for selecting profiles, set the Profile Type to Profiles.)
    4. Click OK to save the profile.
  5. Enable response pages in the management profile for each interface on which you are filtering web traffic.
    1. Select NetworkNetwork ProfilesInterface Mgmt and then select an interface profile to edit or click Add to create a new profile.
    2. Select Response Pages, as well as any other management services required on the interface.
    3. Click OK to save the interface management profile.
    4. Select NetworkInterfaces and select the interface to which to attach the profile.
    5. On the AdvancedOther Info tab, select the interface management profile you just created.
    6. Click OK to save the interface settings.
  6. Commit your changes.
    Commit the configuration.
  7. Test the URL filtering configuration.
    From an endpoint in a trusted zone, attempt to access sites in various categories and make sure you see the expected result based on the corresponding Site Access setting you selected:
    • If you set Site Access to alert for the category, check the URL Filtering log to make sure you see a log entry for the request.
    • If you set Site Access to continue for the category, verify that the URL Filtering Continue and Override Page response page displays. Continue to the site.
    • If you set Site Access to block for the category, verify that the URL Filtering and Category Match Block Page response page displays:
    url-filtering-RespPg.png

Related Documentation