URL Filtering Best Practices

Palo Alto Networks URL Filtering protects you from web-based threats, and gives you a simple way to monitor and control web activity. These best practices show you how to reduce your exposure to web-based threats, without limiting user access to web resources that they need.
  • As part of building a best practice internet gateway security policy,
    Whitelist applications include not only the applications you provision and administer for business and infrastructure purposes, but also the applications that your users need to get their jobs done and applications you might want to allow for personal use. Use URL categories to build application filters that allow general types you want to permit either for business or personal use.
  • Get visibility into your users’ web activity, so you can plan the most effective URL Filtering policy for your organization, and roll it out smoothly:
    • Use Test A Site to see how PAN-DB—the URL Filtering cloud database—categorizes a specific URL you’re interested in, and to learn about all possible URL categories.
    • Start with a passive URL Filtering profile that alerts on most URL categories. Alerting on URL categories means that log entries are generated for each site your users access, but no policy action is enforced. With this visibility into the sites your users are accessing, you can decide what you want to allow, limit, and block. Because alerting on most URL categories results in a large volume of logs, we recommend only using this passive profile as a planning tool.
    • Monitor web activity to assess the sites your users are accessing and see how they align with your business needs.
  • Block URL categories that classify malicious and exploitive web content.
    While we know that these categories are dangerous, always keep in mind that the URL categories that you decide to block might depend on your business needs. Review the review the full list of URL categories and decide if there are other categories you’d like to block (for example, schools might decide to block gaming and adult sites).
  • Use URL categories to phase-in decryption, and to exclude sensitive or personal information from decryption.
    Targeting decryption and phasing it in based on URL categories are also Decryption best practices.
    • Exclude certain web traffic from decryption
      —Use URL categories to make decryption exceptions, especially if you want to exclude certain types of sites from decryption because of privacy concerns (for example, financial-services and health-and-medicine sites).
    • —Plan to decrypt the traffic that is classified as highfirst. Alternatively, decrypt the URL Categories that don’t affect your business first (for example, news feeds).
  • Turn on credential phishing prevention, to stop corporate credential theft.
    For all categories, set User Credential Submissions to block (
    Objects
    Security Profiles
    URL Filtering
    Categories
    User Credential Submission
    . Users will still be able to use their corporate credentials to access whitelisted applications and resources; however, they won’t be able to reuse their corporate credentials on non-corporate sites or inadvertently enter them on a phishing site.
  • Decrypt, inspect, and strictly limit how users interact with high-risk and medium-risk URL categories, as well as any Malicious URL Categories if you’re unable to block them for business reasons.
    The applications that you whitelist and the malicious URL categories that you block outright are just a portion of your overall web traffic. The rest of the content your users are accessing is a combination of benign (the low-risk URL category) and risky content (high-risk and medium-risk URL categories). The high-risk and medium-risk categories identify content that is not confirmed malicious but is closely associated with malicious sites. For example, a high-risk URL might be on the same domain as a malicious site, or it might have hosted malicious content in the past.
    However, many sites that pose a risk to your organization also provide valuable resources and services to your users (cloud storage services are a good example). While these resources and services are necessary for business, they are also more likely to be used as part of a cyberattack.
    Control how users interact with potentially dangerous content, while still providing a good user experience:
    • Decrypt high-risk and medium-risk sites.
      The firewall evaluates decryption policy rules from top to bottom (
      Policies
      Decryption
      ). Place the rule to decrypt high-risk and medium-risk URL categories below the rules that specify your decryption exceptions. This way, the firewall enforces decryption exceptions first and then decrypts high-risk and medium-risk web content.
      Review your decryption exceptions and consider blocking the high-risk and medium-risk sites that you don’t decrypt (like financial-services and health-and-medicine). This is a protective measure you can take while continuing to adhere to requirements to exclude certain content from decryption:
      • Your users can continue to access the low-risk, encrypted content.
      • You’re meeting requirements to not decrypt content that belongs to the URL category (like health-and-medicine).
      • You’re protecting your organization from the high-risk and medium-risk sites that you’re not able to decrypt and inspect due to privacy concerns or other business reasons.
      To do this, create a URL Filtering profile with the
      high-risk
      and
      medium-risk
      URL categories set to
      block
      (
      Objects
      Security Profiles
      URL Category
      Categories
      ). Next, set up a security policy rule that specifies that URL categories you are excluding from decryption, such as health-and-medicine and financial-services, as policy match criteria (
      Policies
      Security
      Service/URL Category
      ). Select the
      Action
      tab in the security policy rule, and attach the URL Filtering profile to the rule. Then, set the rule
      Action
      to
      Allow
      —the policy rule allows only low-risk web traffic that matches the URL categories you specified (such as health-and-medicine and financial-services) and blocks the matching URL category traffic that is high-risk or medium-risk.
    • In a URL Filtering profile, set the high-risk and medium-risk categories to
      continue
      to display a response page that warns users they’re visiting a potentially-dangerous site. Advise them how to take precautions if they decide to continue to the site. If you don’t want to prompt users with a response page, alert on the high-risk and medium-risk categories instead.
    • For high-risk and medium-risk URL categories, follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript.
  • If your educational institution has policies against allowing students or faculty to access sites such as adult or weapons sites, enforce safe search to make sure these sites are blocked.
    You can enable safe search transparently for your users; this mean that if it’s not already turned on, you automatically redirect users to filtered search results.
  • (PAN-OS 9.0.4 and later)
    Enable the firewall to hold an initial web request as it looks up a website’s URL category with PAN-DB.
    When a user visits a website, a firewall with URL Filtering enabled checks its local cache of URL categories to categorize the site. If the firewall doesn’t find the URL’s category in the cache, it performs a lookup in PAN-DB. By default, the firewall allows the user’s web request during this cloud lookup and enforces policy when the server responds.
    But when you choose to hold web requests, the firewall blocks the request until it either finds the URL category or times out. If the lookup times out, the firewall considers the URL category not-resolved.
    1. Enter
      configure
      to access Configuration Mode.
    2. Enter
      set deviceconfig setting ctd hold-client-request yes
      to enable the feature.
    3. Commit your changes.

Recommended For You