Configure URL Filtering
After you Determine URL Filtering Policy Requirements, you should have a basic understanding of what types of websites and website categories your users are accessing. With this information, you are now ready to create custom URL filtering profiles and attach them to the security policy rule(s) that allow web access. In addition to managing web access with a URL Filtering profile, and if you have User-ID configured, you can also manage the sites to which users can submit corporate credentials.
- Create a URL Filtering profile.If you have not done so already, configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
- Define site access
for each URL category.Select Categories and set the Site Access for each URL category:
- Allow traffic to the URL category. Allowed traffic is not logged.
- Select alert to have visibility into sites users are accessing. Matching traffic is allowed, but a URL Filtering log is generated to record when a user accesses a site in the category.
- Select block to deny access to traffic that matches the category and to enable logging of the blocked traffic.
- Select continue to display a page to users with a warning and require them to click Continue to proceed to a site in the category.
- To only allow access if users provide a configured password, select override. For more details on this setting, see Allow Password Access to Certain Sites.
- Configure the URL Filtering profile to detect corporate
credential submissions to websites that are in allowed URL categories.The firewall automatically skips checking credential submissions for App-IDs associated with sites that have never been observed hosting malware or phishing content to ensure the best performance and a low false positive rate even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
- Select User Credential Detection.
- Select one of the Methods
to Check for Corporate Credential Submissions to web pages
from the User Credential Detection drop-down:
This method is prone to false positives in environments that do not have uniquely structured usernames. Because of this, you should only use this method to protect your high-value user accounts.
- Use IP User Mapping—Checks for valid corporate username submissions and verifies that the username matches the user logged in the source IP address of the session. To use this method, the firewall matches the submitted username against its IP-address-to-username mapping table. To use this method you can use any of the user mapping methods described in Map IP Addresses to Users.
- Use Domain Credential Filter—Checks for valid corporate usernames and password submissions verifies that the username maps to the IP address of the logged in user. See Configure User Mapping Using the Windows User-ID Agent for instructions on how to set up User-ID to enable this method.
- Use Group Mapping—Checks for valid username submissions based on the user-to-group mapping table populated when you configure the firewall to Map Users to Groups.With group mapping, you can apply credential detection to any part of the directory, or specific group, such as groups like IT that have access to your most sensitive applications.
- Set the Valid Username Detected Log Severity the firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
- Allow or block users from submitting corporate credentials
to sites based on URL category to Prevent
Credential Phishing.The firewall automatically skips checking credential submissions for App-IDs associated with sites that have never been observed hosting malware or phishing content to ensure the best performance and a low false positive rate even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
- For each URL category to which Site
Access is allowed, select how you want to treat User
- alert—Allow users to submit credentials to the website, but generate a URL Filtering alert log each time a user submits credentials to sites in this URL category.
- allow—(default) Allow users to submit credentials to the website.
- block—Displays the Anti Phishing Block Page to block users from submitting credentials to the website.
- continue—Present the Anti Phishing Continue Page to require users to click Continue to access the site.
- Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.
- For each URL category to which Site Access is allowed, select how you want to treat User Credential Submissions:
- Define URL
Category Exception Lists to specify websites that should
always be blocked or allowed, regardless of URL category.For example, to reduce URL Filtering logs, you may want add you corporate websites in the allow list, so no logs will be generated for those sites. Or, if there is a website this is being overly used and is not work related in any way, you can add it to the block list.Items in the block list will always be blocked regardless of the action for the associated category, and URLs in the allow list will always be allowed.For more information on the proper format and wildcards usage, see URL Category Exception Lists.
- Select Overrides and
enter URLs or IP addresses in the Block List and
select an action:
- block—Block the URL.
- continue—Prompt users click Continue to proceed to the web page.
- override—The user will be a prompted for a password to continue to the website.
- alert—Allow the user to access the website and add an alert log entry in the URL log.
- For the Allow list, enter IP addresses or URLs that should always be allowed. Each row must be separated by a new line.
- Select Overrides and enter URLs or IP addresses in the Block List and select an action:
- Enable Safe Search Enforcement.
- Log only Container
Pages for URL filtering events.
- Select URL Filtering Settings. The Log container page only option is enabled by default so that only the main page that matches the category is logged, not subsequent pages/categories that may be loaded within the container page.
- To enable logging for all pages/categories, clear the Log container page only check box.
- Enable HTTP
Header Logging for one or more of the supported HTTP header
fields.Select URL Filtering Settings and select one or more of the following fields to log:
- Save the URL Filtering profile and commit your changes.
- Click OK.
- Click Commit.To test the URL filtering configuration, simply access a website in a category that is set to block or continue to see if the appropriate action is performed.
Prevent Credential Phishing
Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...
URL Categories Each website defined in the URL filtering database is assigned a URL category. Here are a few ways to leverage URL categories: Block ...
User Credential Detection
User Credential Detection Select Objects Security Profiles URL Filtering User Credential Detection to enable the firewall to detect when users submit corporate credentials. Configure user ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
Set Up Credential Phishing Prevention
Set Up Credential Phishing Prevention After you have decided which of the Methods to Check for Corporate Credential Submissions you want to use, take the ...
URL Filtering Categories
URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Attach a URL Filtering profile to ...
URL Filtering Response Pages
URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...
Objects > Security Profiles > URL Filtering
Objects > Security Profiles > URL Filtering You can use URL filtering profiles to control access to web content. What are you looking for? See: ...
Device > Response Pages
Device > Response Pages Custom response pages are the web pages that display when a user tries to access a URL. You can provide a ...