Device > Setup > Content-ID
Use the
Content-ID
™ tab to define
settings for URL filtering, data protection, and container pages.Content-ID Settings | Description |
|---|---|
URL Filtering | |
Dynamic URL Cache Timeout | Click Edit and enter
the timeout (in hours). This value is used in dynamic URL filtering
to determine the length of time an entry remains in the cache after
it is returned from the URL filtering service. This option is applicable
to URL filtering using the BrightCloud database only. For more on
URL filtering, select Objects
> Security Profiles > URL Filtering. |
URL Continue Timeout | Specify the interval following a user's
continue action before the user must press continue again for URLs
in the same category (range is 1 to 86,400 minutes; default is 15). |
URL Admin Override Timeout | Specify the interval after the user enters
the admin override password before the user must re-enter the admin
override password for URLs in the same category (range is 1 to 86,400
minutes; default is 15). |
URL Admin Lockout Timeout | Specify the period of time that a user is
locked out from attempting to use the URL Admin Override password
following three unsuccessful attempts (range is 1 to 86,400 minutes;
default is 30). |
PAN-DB Server ( Required for connecting
to a private PAN-DB server ) | Specify the IPv4 address, IPv6 address,
or FQDN for the private PAN-DB server(s) on your network. You can
enter up to 20 entries. The firewall connects to the public
PAN-DB cloud, by default. The private PAN-DB solution is for enterprises
that disallow the firewall(s) from directly accessing the PAN-DB
servers in the public cloud. The firewalls access the servers included
in this PAN-DB server list for the URL database, URL updates, and
URL lookups for categorizing web pages. |
URL Admin Override | |
Settings for URL Admin Override | For each virtual system that you want to
configure for URL admin override, click Add and
specify the settings that apply when a URL filtering profile blocks
a page and the Override action is specified
(for details, select Objects
> Security Profiles > URL Filtering):
Click delete to remove an entry. |
Content-ID Settings | |
Allow forwarding of decrypted content | Select this option to allow the firewall
to forward decrypted content to an outside service. This allows
the firewall to forward decrypted content when port mirroring or
sending WildFire files for analysis. Enable
this option and send all unknown files in decrypted traffic to WildFire
for analysis. For a firewall with multiple virtual
system (multi-vsys) capability, you enable this option individually
for each virtual system. Select Device Virtual Systems |
Extended Packet Capture Length | Set the number of packets to capture when
the extended-capture option is enabled in Anti-Spyware and Vulnerability Protection
profiles (range is 1 to 50; default is 5). |
Forward segments exceeding TCP App-ID™ inspection
queue | Select this option to forward segments and
classify the application as unknown-tcp when the App-ID queue exceeds
the 64-segment limit. Use the following global counter to view the
number of segments in excess of this queue regardless of whether
you enabled or disabled this option: appid_exceed_queue_limit .Disable
this option to prevent the firewall from forwarding TCP segments
and skipping App-ID inspection when the App-ID inspection queue
is full. This option is disabled by
default and you should leave it disabled for maximum security. When
this option is disabled, you may notice increased latency on streams
where more than 64 segments were queued awaiting App-ID processing. |
Forward segments exceeding TCP content inspection
queue | Select this option to enable forwarding
of TCP segments and skip content inspection when the TCP content
inspection queue is full. The firewall can queue up to 64 segments
while waiting for the content engine. When the firewall forwards
a segment and skips content inspection due to a full content inspection
queue, it increments the following global counter:
Disable
this option to prevent the firewall from forwarding TCP segments
and skipping content inspection when the content inspection queue
is full. With this option disabled, the firewall drops any segments
that exceed the queue limit and increments the following global
counter:
This
pair of global counters applies to both TCP and UDP packets. If,
after viewing the global counters, you decide to change the setting,
you can modify it from within the CLI using the following CLI command:
This option is enabled by default. However,
Palo Alto Networks recommends that you disable this option for maximum
security. Keep in mind that due to TCP retransmissions for dropped
traffic, disabling this option could result in performance degradation
and some applications could incur loss of functionality, particularly
in high-volume traffic situations. |
Forward datagrams exceeding UDP content
inspection queue | Select this option to enable forwarding
of UDP datagrams and skip content inspection when the UDP content
inspection queue is full. The firewall can queue up to 64 datagrams
while waiting a response from the content engine. When the firewall
forwards a datagram and skips content inspection due to a UDP content
inspection queue overflow, it increments the following global counter:
Disable
this option to prevent the firewall from forwarding datagrams and
skipping content inspection when the UDP content inspection queue
is full. With this option disabled, the firewall drops any datagrams
that exceed the queue limit and increments the following global
counter:
This
pair of global counters applies to both TCP and UDP packets. If,
after viewing the global counters, you decide to change the setting,
you can modify it from within the CLI using the following command:
This option is enabled by default. However,
Palo Alto Networks recommends that you disable this option for maximum
security. Keep in mind that due to dropped packets, disabling this
option could result in performance degradation and some applications
could incur loss of functionality, particularly in high-volume traffic
situations. |
Allow HTTP partial response | Select this option to enable the HTTP partial
response option. This option allows a client to fetch only part
of a file. When a next-generation firewall in the path of a transfer
identifies and drops a malicious file, it terminates the TCP session
with an RST packet. If the web browser implements the HTTP Range
option, it can start a new session to fetch only the remaining part
of the file. This prevents the firewall from triggering the same
signature again due to the lack of context into the initial session,
while at the same time allowing the web browser to reassemble the
file and deliver the malicious content. To prevent this, make sure
this option is disabled. By default,
the Allow HTTP partial response is enabled.
However, Palo Alto Networks recommends you disable this option for
maximum security. Disabling this option should not impact device
performance; however, HTTP file transfer interruption recovery may
be impaired. In addition, disabling this option can also impact
streaming media services, such as Netflix, Microsoft Updates, and
Palo Alto Networks content updates. |
Realtime Signature Lookup | |
DNS Signature Lookup Timeout (ms) | Specify the duration of time in milliseconds
for the firewall to query the DNS Security service. If the cloud
does not respond before the end of the specified period, the firewall
releases the associated DNS response to the requesting client (range
is 0 to 60,000; default is 80). |
X-Forwarded-For Headers | |
Use X-Forwarded-For Header in User-ID | Select this option to specify that User-ID
reads IP addresses from the X-Forwarded-For (XFF) header in client
requests for web services when the firewall is deployed between
the Internet and a proxy server that would otherwise hide client
IP addresses. User-ID matches the IP addresses it reads with usernames
that your policies reference so that those policies can control
and log access for the associated users and groups. If the header
has multiple IP addresses, User-ID uses the first entry from the
left. In some cases, the header value is a character string
instead of an IP address. If the string matches a username that
User-ID has mapped to an IP address, the firewall uses that username
for group mapping references in policies. If no IP address mapping
exists for the string, the firewall invokes the policy rules in
which the source user is set to any or unknown .URL
Filtering logs display the matched usernames in the Source User
field. If User-ID cannot perform the matching or is not enabled for
the zone associated with the IP address, the Source User field displays
the XFF IP address with the prefix x-fwd-for .Enable using the XFF header in User-ID so
that the original client IP address appears in the logs in case
you need to investigate an issue. |
Strip-X-Forwarded-For Header | Select this option to remove the X-Forwarded-For
(XFF) header, which contains the IP address of a client requesting
a web service when the firewall is deployed between the Internet
and a proxy server. The firewall zeroes out the header value before
forwarding the request: the forwarded packets don’t contain internal
source IP information. Selecting this option doesn’t
disable the use of XFF headers for user attribution in policies;
the firewall zeroes out the XFF value only after using it for user
attribution. When you enable
using the XFF header in User-ID, also enable stripping the XFF header
before forwarding the packet to protect user privacy without losing
the ability to track users. Enabling both options allows you to
log and track original user IP addresses while at the same time
protecting users’ privacy by not forwarding their original IP address. |
Content-ID Features | |
Manage Data Protection | Add additional protection for access to
logs that may contain sensitive information, such as credit card
numbers or social security numbers. Click Manage
Data Protection and configure the following:
|
Container Pages | Use these settings to specify the types
of URLs that the firewall will track or log based on content type,
such as application/pdf, application/soap+xml, application/xhtml+,
text/html, text/plain, and text/xml. Container pages are set per
virtual system, which you select from the Location drop-down.
If a virtual system does not have an explicit container page defined,
the default content types are used.Click Add and
enter or select a content type.Adding new content types for
a virtual system overrides the default list of content types. If
there are no content types associated with a virtual system, the
default list of content types is used. |