URL Filtering Best Practices
Palo Alto Networks URL Filtering protects you from web-based threats, and gives you a simple way to monitor and control web activity. These best practices show you how to reduce your exposure to web-based threats, without limiting user access to web resources that they need.
- Whitelist applications include not only the applications you provision and administer for business and infrastructure purposes, but also the applications that your users need to get their jobs done and applications you might want to allow for personal use. Use URL categories to build application filters that allow general types you want to permit either for business or personal use.
- Get visibility into your users’ web activity, so you can plan the most effective URL Filtering policy for your organization, and roll it out smoothly:
- Start with a passive URL Filtering profile that alerts on most URL categories. Alerting on URL categories means that log entries are generated for each site your users access, but no policy action is enforced. With this visibility into the sites your users are accessing, you can decide what you want to allow, limit, and block. Because alerting on most URL categories results in a large volume of logs, we recommend only using this passive profile as a planning tool.
- Monitor web activity to assess the sites your users are accessing and see how they align with your business needs.
- While we know that these categories are dangerous, always keep in mind that the URL categories that you decide to block might depend on your business needs. Review the review the full list of URL categories and decide if there are other categories you’d like to block (for example, schools might decide to block gaming and adult sites).
- Use URL categories to phase-in decryption, and to exclude sensitive or personal information from decryption.
- Exclude certain web traffic from decryption—Use URL categories to make decryption exceptions, especially if you want to exclude certain types of sites from decryption because of privacy concerns (for example, financial-services and health-and-medicine sites).
- For all categories, set User Credential Submissions to block (. Users will still be able to use their corporate credentials to access whitelisted applications and resources; however, they won’t be able to reuse their corporate credentials on non-corporate sites or inadvertently enter them on a phishing site.ObjectsSecurity ProfilesURL FilteringCategoriesUser Credential Submission
- The applications that you whitelist and the malicious URL categories that you block outright are just a portion of your overall web traffic. The rest of the content your users are accessing is a combination of benign (the low-risk URL category) and risky content (high-risk and medium-risk URL categories). The high-risk and medium-risk categories identify content that is not confirmed malicious but is closely associated with malicious sites. For example, a high-risk URL might be on the same domain as a malicious site, or it might have hosted malicious content in the past.However, many sites that pose a risk to your organization also provide valuable resources and services to your users (cloud storage services are a good example). While these resources and services are necessary for business, they are also more likely to be used as part of a cyberattack.Control how users interact with potentially dangerous content, while still providing a good user experience:
- The firewall evaluates decryption policy rules from top to bottom (Decrypt high-risk and medium-risk sites.). Place the rule to decrypt high-risk and medium-risk URL categories below the rules that specify your decryption exceptions. This way, the firewall enforces decryption exceptions first and then decrypts high-risk and medium-risk web content.PoliciesDecryptionReview your decryption exceptions and consider blocking the high-risk and medium-risk sites that you don’t decrypt (like financial-services and health-and-medicine). This is a protective measure you can take while continuing to adhere to requirements to exclude certain content from decryption:
To do this, create a URL Filtering profile with thehigh-riskandmedium-riskURL categories set toblock(). Next, set up a security policy rule that specifies that URL categories you are excluding from decryption, such as health-and-medicine and financial-services, as policy match criteria (ObjectsSecurity ProfilesURL CategoryCategories). Select thePoliciesSecurityService/URL CategoryActiontab in the security policy rule, and attach the URL Filtering profile to the rule. Then, set the ruleActiontoAllow—the policy rule allows only low-risk web traffic that matches the URL categories you specified (such as health-and-medicine and financial-services) and blocks the matching URL category traffic that is high-risk or medium-risk.
- Your users can continue to access the low-risk, encrypted content.
- You’re meeting requirements to not decrypt content that belongs to the URL category (like health-and-medicine).
- You’re protecting your organization from the high-risk and medium-risk sites that you’re not able to decrypt and inspect due to privacy concerns or other business reasons.
- In a URL Filtering profile, set the high-risk and medium-risk categories tocontinueto display a response page that warns users they’re visiting a potentially-dangerous site. Advise them how to take precautions if they decide to continue to the site. If you don’t want to prompt users with a response page, alert on the high-risk and medium-risk categories instead.
- If your educational institution has policies against allowing students or faculty to access sites such as adult or weapons sites, enforce safe search to make sure these sites are blocked.You can enable safe search transparently for your users; this mean that if it’s not already turned on, you automatically redirect users to filtered search results.
- (PAN-OS 9.0.4 and later)Enable the firewall to hold an initial web request as it looks up a website’s URL category with PAN-DB.When a user visits a website, a firewall with URL Filtering enabled checks its local cache of URL categories to categorize the site. If the firewall doesn’t find the URL’s category in the cache, it performs a lookup in PAN-DB. By default, the firewall allows the user’s web request during this cloud lookup and enforces policy when the server responds.But when you choose to hold web requests, the firewall blocks the request until it either finds the URL category or times out. If the lookup times out, the firewall considers the URL category not-resolved.
- Enterconfigureto access Configuration Mode.
- Enterset deviceconfig setting ctd hold-client-request yesto enable the feature.
- Commit your changes.
Recommended For You
Recommended videos not found.