Control Access to Web Content

URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize web traffic into one or more URL categories. You can then create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. Together with User-ID, you can also use URL Filtering to Prevent Credential Phishing based on URL category.
The following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them to Security policy rules to enforce a basic URL filtering policy.
  1. Confirm that you have a URL Filtering license.
    1. Obtain and install a URL Filtering license. See Activate Licenses and Subscriptions for details.
    2. Select
      Device
      Licenses
      and verify that the URL Filtering license is valid.
      url-filtering-pan-db1.png
  2. Download the seed database and activate the license.
    1. To download the seed database, click
      Download
      next to
      Download Status
      in the PAN-DB URL Filtering section of the Licenses page.
    2. Choose a region (APAC, Europe, Japan, Latin-America, North-America, or Russia) and then click
      OK
      to start the download.
    3. After the download completes, click
      Activate
      . The Active field now shows that PAN-DB is now active.
      url-filtering-pan-db2.png
  3. Configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.
    Select
    Objects
    Security Profiles
    URL Filtering
    and
    Add
    or modify a URL Filtering profile.
    • Select
      Categories
      to allow, alert, continue, or block access to. If you are not sure what sites or categories you want to control access to, consider setting the categories (except for those blocked by default) to alert. You can then use the visibility tools on the firewall, such as the ACC and App Scope, to determine which web categories to restrict to specific groups or to block entirely. See URL Filtering Profile Actions for details on the site access settings you can enforce for each URL category.
    • Select
      Categories
      to Prevent Credential Phishing based on URL category.
    • Enable Safe Search Enforcement to ensure that user search results are based on search engine safe search settings.
  4. Attach the URL filtering profile to a Security policy rule.
    1. Select
      Policies
      Security
      .
    2. Select a Security policy rule that allows web access to edit it and select the
      Actions
      tab.
    3. In the
      Profile Settings
      list, select the
      URL Filtering
      profile you just created. (If you don’t see drop-downs for selecting profiles, set the
      Profile Type
      to
      Profiles
      .)
    4. Click
      OK
      to save the profile.
  5. Enable response pages in the management profile for each interface on which you are filtering web traffic.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      and then select an interface profile to edit or click
      Add
      to create a new profile.
    2. Select
      Response Pages
      , as well as any other management services required on the interface.
    3. Click
      OK
      to save the interface management profile.
    4. Select
      Network
      Interfaces
      and select the interface to which to attach the profile.
    5. On the
      Advanced
      Other Info
      tab, select the interface management profile you just created.
    6. Click
      OK
      to save the interface settings.
  6. Commit your changes.
    Commit
    the configuration.
  7. Test the URL filtering configuration.
    From an endpoint in a trusted zone, attempt to access sites in various categories and make sure you see the expected result based on the corresponding Site Access setting you selected:
    • If you set Site Access to
      alert
      for the category, check the URL Filtering log to make sure you see a log entry for the request.
    • If you set Site Access to
      continue
      for the category, verify that the URL Filtering Continue and Override Page response page displays.
      Continue
      to the site.
    • If you set Site Access to
      block
      for the category, verify that the URL Filtering and Category Match Block Page response page displays:
    url-filtering-RespPg.png

Related Documentation