Plan Your URL Filtering Deployment

To first deploy URL filtering in your network, we recommend that you start with a basic setup that’ll give you visibility into web activity patterns while blocking confirmed malicious content:
  • Start with a (mostly) passive URL Filtering profile that alerts on most categories. This gives you visibility into the sites your users are accessing, so you can decide what you want allow, limit, and block.
  • Block URL categories that we know are bad: malware, C2, and phishing.
Because alerting on all web activity might create a large amount of log files, you might decide you only want to do this as you’re initially deploying URL Filtering.
At that time, you can also reduce URL filtering logs by enabling the
Log container page only
option in the URL Filtering profile so only the main page that matches the category will be logged, not subsequent pages/categories that may be loaded within the container page.
  1. At any time, you can use Test A Site to see how PAN-DB—the URL Filtering cloud database—categorizes a specific URL, and to learn about all possible URL categories.
    You can also use Test A Site to submit a change request, if you disagree with how a specific URL is categorized.
  2. Create a passive URL Filtering profile, that alerts on all categories so you have visibility into web traffic.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select the default profile and then click
      Clone
      . The new profile will be named
      default-1
      .
    3. Select the
      default-1
      profile and rename it. For example, rename it to URL-Monitoring.
  3. Configure the action for all categories to
    alert
    , except for malware, command-and-control, and phishing, which should remain blocked.
    1. In the section that lists all URL categories, select all categories.
    2. To the right of the
      Action
      column heading, mouse over and select the down arrow and then select
      Set Selected Actions
      and choose
      alert
      .
      set-alert.png
    3. Block
      access to known dangerous URL categories.
      Block access to malware, phishing, dynamic-dns, unknown, command-and-control, extremism, copyright-infringement, proxy-avoidance-and-anonymizers, newly-registered-domain, grayware, and parked URL categories.
    4. Click
      OK
      to save the profile.
  4. Apply the URL Filtering profile to the security policy rule(s) that allows web traffic for users.
    1. Select
      Policies
      Security
      and select the appropriate security policy to modify it.
    2. Select the
      Actions
      tab and in the
      Profile Setting
      section, click the drop-down for
      URL Filtering
      and select the new profile.
    3. Click
      OK
      to save.
  5. Save the configuration.
    Click
    Commit
    .
  6. View the URL filtering logs to see all of the website categories that your users are accessing. The categories you’ve set to block are also logged.
    For information on viewing the logs and generating reports, see Monitor Web Activity.
    Select
    Monitor
    Logs
    URL Filtering
    . A log entry will be created for any website that exists in the URL filtering database that is in a category set to any action other than
    allow
    . URL Filtering reports give you a view of web activity in a 24-hour period. (
    Monitor
    Reports
    ).
  7. Here’s what to do next:
    • Strictly control how users interact with high-risk and medium-risk sites.
      PAN-DB categorizes every URL with up to four categories, and every URL has a risk category (high, medium, and low). While high and medium-risk sites are not confirmed malicious, they are closely associated with malicious sites. For example, they might be on the same domain as malicious sites or maybe they hosted malicious content until only very recently. For everything that you do not expicitly whitelist or blacklist, you can use risk categories to write simple policy based on website safety.
      You can take precautionary measures to limit your users’ interaction high-risk sites especially, as there might be some cases where you want to give your users access to sites that might also present safety concerns (for example, you might want to allow your developers to use developer blogs for research, yet blogs are a category known to commonly host malware).
    • Pair URL Filtering with User-ID.
      Use URL Filtering and User-IDD together to control web access based on organization or department and to block corporate credential submissions to unsanctioned sites:
      • URL Filtering prevents credential theft by detecting corporate credential submissions to sites based on the site category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate sites.
      • Add or update a security policy rule with the passive URL Filtering profile so that it applies to a department user group, for example, Marketing or Engineering (
        Policies
        Security
        User
        ). Monitor the department activity, and get feedback from department members to understand the web resources that are essential to the work they do.
    • Consider all the ways you can use URL Filtering to reduce your attack surface and to control web usage.
      For example, if you’re a school, you can use URL Filtering to enforce strict safe search settings, where search engines filter out adult images and videos from search results. Or, if you have a security operations center, you might give threat analysts password access to compromised or dangerous sites for research, that you might not want to otherwise open up to entire organizations or teams.

Recommended For You