Use Case: Use URL Categories for Policy Matching

You can also use URL categories as match criteria in the following policy types: Authentication, Decryption, Security, and QoS. In this use case, Decryption policy rules match on URL categories to control which web categories to decrypt or not decrypt. The first rule is a no-decrypt rule instructing the firewall not to decrypt outbound user traffic to financial-services or health-and-medicine sites and the second rule instructs the firewall to decrypt all other traffic.
  1. Create the no-decrypt rule that will be listed first in the decryption policies list. This will prevent any website that is in the
    financial-services
    or
    health-and-medicine
    URL categories from being decrypted.
    1. Select
      Policies
      Decryption
      and click
      Add
      .
    2. Enter a
      Name
      and optionally enter a
      Description
      and
      Tag
      (s).
    3. On the
      Source
      tab, add the zone where the users are connected.
    4. On the
      Destination
      tab, enter the zone that is connected to the Internet.
    5. On the
      URL Category
      tab, click
      Add
      and select the
      financial-services
      and
      health-and-medicine
      URL categories.
    6. On the
      Options
      tab, set the action to
      No Decrypt
      .
    7. (
      Optional
      ) Although the firewall does not decrypt and inspect the traffic for the session, you can attach a
      Decryption profile
      if you want to enforce the server certificates used during the session. The decryption profile allows you to configure the firewall to terminate the SSL connection either when the server certificates are expired or when the server certificates are issues by an untrusted issuer.
      use-case-decrypt-no.png
    8. Click
      OK
      to save the policy rule.
  2. Create the decryption policy rule that will decrypt all other traffic.
    1. Select the no-decrypt policy you created previously and then click
      Clone
      .
    2. Enter a
      Name
      and optionally enter a
      Description
      and
      Tag
      (s).
    3. On the
      URL Category
      tab, select
      financial-services
      and
      health-and-medicine
      and then click the
      Delete
      icon.
    4. On the
      Options
      tab, set the action to
      Decrypt
      and the
      Type
      to
      SSL Forward Proxy
      .
    5. (
      Optional
      ) Attach a
      Decryption profile
      to specify the server certificate verification, unsupported mode checks and failure checks for the SSL traffic. See Configure SSL Forward Proxy for more details.
      use-case-decrypt-yes.png
    6. Ensure that this new decryption rule is listed after the no-decrypt rule to ensure that rule processing occurs in the correct order, so websites in the
      financial-services
      and
      health-and-medicine
      are not decrypted
    7. Click
      OK
      to save the policy rule.
  3. (
    BrightCloud only
    ) Enable cloud lookups for dynamically categorizing a URL when the category is not available on the local database on the firewall.
    1. Access the CLI on the firewall.
    2. Enter the following commands to enable Dynamic URL Filtering:
      1. configure
      2. set deviceconfig setting url dynamic-url yes
      3. commit
  4. Save the configuration.
    Click
    Commit
    .
    With these two decrypt policies in place, any traffic destined for the
    financial-services
    or
    health-and-medicine
    URL categories will not be decrypted. All other traffic will be decrypted.
    Now that you have a basic understanding of the powerful features of URL filtering, App-ID, and User-ID, you can apply similar policies to your firewall to control any application in the Palo Alto Networks App-ID signature database and control any website contained in the URL filtering database.
    For help in troubleshooting URL filtering issues, see Troubleshoot URL Filtering.

Related Documentation