Allow Password Access to Certain Sites
In some cases there may be URL categories that you want to block, but allow certain individuals to browse to on occasion. In this case, you would set the category action to override and define a URL admin override password in the firewall Content-ID configuration. When users attempt to browse to the category, they will be required to provide the override password before they are allowed access to the site. Use the following procedure to configure URL admin override:
- Set the URL admin override password.
- Select DeviceSetupContent ID.
- In the URL Admin Override section, click Add.
- In the Location field, select the virtual system to which this password applies.
- Enter the Password and Confirm Password.
- Select an SSL/TLS Service Profile. The profile specifies the certificate that the firewall presents to the user if the site with the override is an HTTPS site. For details, see Configure an SSL/TLS Service Profile.
- Select the Mode for prompting
the user for the password:
- Transparent—The firewall intercepts the browser traffic destined for site in a URL category you have set to override and impersonates the original destination URL, issuing an HTTP 401 to prompt for the password.The client browser will display certificate errors if it does not trust the certificate.
- Redirect—The firewall intercepts HTTP or HTTPS traffic to a URL category set to override and redirects the request to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to prompt for the override password. If you select this option, you must provide the Address (IP address or DNS hostname) to which to redirect the traffic.
- Click OK.
- (Optional) Set a custom override period.
- Edit the URL Filtering section.
- To change the amount of time users can browse to a site in a category for which they have successfully entered the override password, enter a new value in the URL Admin Override Timeout field. By default, users can access sites within the category for 15 minutes without re-entering the password.
- To change the amount of time users are blocked from accessing a site set to override after three failed attempts to enter the override password, enter a new value in the URL Admin Lockout Timeout field. By default, users are blocked for 30 minutes.
- Click OK.
- (Redirect mode only) Create a Layer 3 interface
to which to redirect web requests to sites in a category configured
- Create a management profile to enable the
interface to display the URL Filtering Continue and Override Page
- Select NetworkInterface Mgmt and click Add.
- Enter a Name for the profile, select Response Pages, and then click OK.
- Create the Layer 3 interface. Be sure to attach the management profile you just created (on the AdvancedOther Info tab of the Ethernet Interface dialog).
- Create a management profile to enable the interface to display the URL Filtering Continue and Override Page response page:
- (Redirect mode only) To transparently redirect
users without displaying certificate errors, install a certificate
that matches the IP address of the interface to which you are redirecting
web requests to a site in a URL category configured for override.You
can either generate a self-signed certificate or import a certificate
that is signed by an external CA.To use a self-signed certificate, you must first create a root CA certificate and then use that CA to sign the certificate you will use for URL admin override as follows:
- To create a root CA certificate, select DeviceCertificate ManagementCertificatesDevice Certificates and then click Generate. Enter a Certificate Name, such as RootCA. Do not select a value in the Signed By field (this is what indicates that it is self-signed). Make sure you select the Certificate Authority check box and then click Generate the certificate.
- To create the certificate to use for URL admin override, click Generate. Enter a Certificate Name and enter the DNS hostname or IP address of the interface as the Common Name. In the Signed By field, select the CA you created in the previous step. Add an IP address attribute and specify the IP address of the Layer 3 interface to which you will be redirecting web requests to URL categories that have the override action.
- Generate the certificate.
- To configure clients to trust the certificate, select the CA certificate on the Device Certificates tab and click Export. You must then import the certificate as a trusted root CA into all client browsers, either by manually configuring the browser or by adding the certificate to the trusted roots in an Active Directory Group Policy Object (GPO).
- Specify which URL categories require an override password
to enable access.
- Select ObjectsURL Filtering and either select an existing URL filtering profile or Add a new one.
- On the Categories tab, set the Action to override for each category that requires a password.
- Complete any remaining sections on the URL filtering profile and then click OK to save the profile.
- Apply the URL Filtering profile to the security policy
rule(s) that allows access to the sites requiring password override
- Select PoliciesSecurity and select the appropriate security policy to modify it.
- Select the Actions tab and in the Profile Setting section, click the drop-down for URL Filtering and select the profile.
- Click OK to save.
- Save the configuration.Click Commit.
URL Filtering Categories
URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Categories Settings Description Category Displays the ...
URL Filtering Response Pages
URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...
Device > Response Pages
Device > Response Pages Custom response pages are the web pages that display when a user tries to access a URL. You can provide a ...
Device > Setup > Content-ID
Device > Setup > Content-ID Use the Content-ID ™ tab to define settings for URL filtering, data protection, and container pages. Content-ID Settings Description URL ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
Objects > Custom Objects > URL Category
Objects > Custom Objects > URL Category Use the custom URL category page to create your custom list of URLs and use it in a ...
Multi-Category URL Filtering
PAN-DB classifies URLs with multiple categories, so that you can granularly control web access and how users interact with online content. ...
Custom URL Categories
Custom URL Categories You can create a custom URL Filtering object to specify exceptions to URL category enforcement, and to create a custom URL category ...