URL Filtering Categories

Select
Objects
Security Profiles
URL Filtering
Categories
to control access to websites based on URL categories.
Attach a URL Filtering profile to all Security policy rules that allow access to web-based applications to protect against URLs that have been observed to host malware or exploitive content.
Categories Settings
Description
Category
In addition to the predefined categories, both custom URL categories and external dynamic lists of type URL are displayed under
Category
. By default, the
Site Access
and
User Credential Submission
permissions for all categories are set to
Allow
.
Block
all known dangerous URL categories, including command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, and parked to protect against exploit infiltration, malware download, command-and-control activity, and data exfiltration.
To phase in a block policy, set categories to
continue
and create a custom response page to educate users about your use policy and alert them that they are visiting a site that may pose a threat. After a suitable period of time, transition to a policy that blocks the potentially malicious sites.
Site Access
For each URL category, select the action to take when a user attempts to access a URL in that category (
Site Access
):
  • alert
    —Allows access to the web site but adds an alert to the URL log each time a user accesses the URL.
    Set
    alert
    as the Action for categories of traffic you don’t block to log and provide visibility into the traffic.
  • allow
    —Allows access to the web site but doesn’t log traffic.
    Because
    allow
    doesn’t log unblocked traffic, set
    alert
    as the Action for categories of traffic you don’t block to log and provide visibility into that traffic.
  • block
    —Blocks access to the web site. If the Site Access to a URL category is set to block, the User Credential Submission permissions is automatically also set to block.
  • continue
    —Displays a page to users that to warn them against continuing to access the page. To access the web site, the user must click
    Continue
    .
The Continue pages will not be displayed properly on client machines that are configured to use a proxy server.
  • override
    —Displays a response page that prompts the user to enter a valid password in order to gain access to the site. Configure URL Admin Override settings (
    Device
    Setup
    Content ID
    ) to manage password and other override settings. (See also the Management Settings table in Device > Setup > Content-ID).
The Override pages will not be displayed properly on client machines that are configured to use a proxy server.
  • none
    (
    custom URL category only
    )—If you have created custom URL categories, set the action to
    none
    to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to
    none
    gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to
    none
    in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.
User Credential Submission
For each URL category, select the
User Credential Submissions
to allow or disallow users from submitting valid corporate credentials to a URL in that category. Before you can control user credential submissions based on URL category, you must enable credential submission detection (select the
User Credential Detection
tab).
URL categories with the
Site Access
set to block are automatically set to also block user credential submissions.
  • alert
    —Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this category.
  • allow
    (default)—Allow users to submit credentials to the website.
  • block
    —Block users from submitting credentials to the website. A default anti-phishing response page blocks user credential submissions.
  • continue
    —Display a response page to users that prompts them to select Continue to submit credentials to the site. By default, an anti-phishing continue page displays to warn users when they attempt to submit credentials to sites to which credential submissions are discouraged. You can choose to create a custom response page to warn users against phishing attempts or to educate them against reusing valid corporate credentials on other websites.
Check URL Category
Click to access the PAN-DB URL Filtering database, where you can enter a URL or IP address to view categorization information.
Dynamic URL Filtering
Default: Disabled
(
Configurable for BrightCloud only
)
Select to enable cloud lookup for categorizing the URL. This option is invoked if the local database is unable to categorize the URL.
If the URL is unresolved after a 5 second timeout window, the response is displayed as
Not resolvedURL
.
With PAN-DB, this option is enabled by default and is not configurable.

Related Documentation