URL Filtering Use Cases

Explore the different ways you can use URL categories to control how users interact with the web.
There are many ways to use URL Filtering beyond only blocking and allowing certain sites. For example, you can use multiple categories per URL to allow users to access a site, but block particular functions like submitting corporate credentials or downloading files. You can also use URL categories to enforce different types of policy, such as Authentication, Decryption, QoS, and Security.
Read on for more about the different ways that you can use URL Filtering.

Control web access based on URL category

You can create a URL Filtering profile that specifies an action for a URL category and attach the profile to a policy rule. The firewall enforces policy against traffic based on the settings in the profile. For example, to block all gaming websites you could set the block action for the URL category
in the URL profile and attach it to the security policy rule(s) that allow web access.

Multi-Category URL Filtering

Every URL can have up to four categories, including a risk category that indicates the likelihood a site will expose you to threats. More granular URL categorizations means that you can move beyond a basic “block-or-allow” approach to web access. Instead, you can control how your users
with online content that, while necessary for business, is more likely to be used as part of a cyberattack.
For instance, you might consider certain URL categories risky to your organization, but are hesitant to block them outright as they also provide valuable resources or services (like cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories while you protect your network by decrypting and inspecting traffic and enforcing read-only access to the content.
For a URL category that you want to tightly control, set the URL Filtering profile action to alert as part of the steps to Configure URL Filtering. Then continue to follow the URL Filtering Best Practices: decrypt the URL category, block dangerous file downloads, and turn on credential phishing prevention.

Block or allow corporate credential submissions based on URL category

Prevent Credential Phishing by enabling the firewall to detect corporate credential submissions to sites, and then control those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate and sanctioned sites.

Enforce Safe Search Settings

Many search engines have a safe search setting that filters out adult images and videos from search results. You can enable the firewall to block search results if the end user is not using the strictest safe search settings, and you can transparently enable safe search for your users. The firewall supports safe search enforcement for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. See how to get started with Safe Search Enforcement.

Enforce Password Access to Certain Sites

You can block access to a site for most users while allowing certain users to access the site. See how to Allow Password Access to Certain Sites.

Block high-risk file downloads from certain URL categories

You can block high-risk file downloads from specific URL categories by creating a security policy with a File Blocking profile attached.

Enforce Security, Decryption, Authentication, and QoS policies based on URL category

You can enforce different types of firewall policies based on URL categories. For example, suppose you have enabled Decryption, but you want to exclude certain personal information from being decrypted. In this case you could create a decryption policy rule that excludes websites that match the URL categories
from decryption. Another example would be to use the URL category
in a QoS policy to apply bandwidth controls to websites that fall in to this category.
The following table describes the policies that accept URL categories as match criteria:
Policy Type
You can also use URL categories to phase-in decryption, and to exclude URL categories that might contain sensitive or personal information from decryption (like financial-services and health-and-medicine).
Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL Categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. In both cases, decrypt a few URL Categories, listen to user feedback, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL Categories, and so on. Plan to make decryption exclusions to exclude sites from decryption if you can’t decrypt them for technical reasons or because you choose not to decrypt them.
Decrypting traffic based on URL categories is a best practice for both URL Filtering and Decryption.
To ensure that users authenticate before being allowed access to a specific category, you can attach a URL category as a match criterion for Authentication policy rules.
Use URL categories to allocate throughput levels for specific website categories. For example, you may want to allow the
category, but limit throughput by adding the URL category to a QoS policy rule.
In security policy rules, you can use URL categories in two ways:
  • Enforce policy based on URL categories by selecting them as match criteria.
  • Attach a URL Filtering profile that specifies the policy action for each category.
If for example, the IT-security group in your company needs access to the
category, but all other users are denied access to the category, you must create the following rules:
  • A Security policy rule that allows the IT-Security group to access content categorized as
    . The Security policy rule references the
    category in the
    Services/URL Category
    tab and IT-Security group in the
  • Another Security policy rule that allows general web access for all users. To this rule you attach a URL filtering profile that blocks the
You must list the policy that allows access to
before the policy that blocks
. This is because the firewall evaluates security policy rules from the top down, so when a user who is part of the security group attempts to access a
site, the firewall evaluates the policy rule that allows access first and grants the user access. The firewall evaluates users from all other groups against the general web access rule that blocks access to the

Recommended For You