URL Filtering Best Practices
Palo Alto Networks URL Filtering protects you from web-based threats, and gives you a simple way to monitor and control web activity. To get the most out of URL Filtering, you should start by creating allow rules for the applications you rely on to do business. Then, review the URL categories that classify malicious and exploitive content—we recommend that you block these outright. Then, for everything else, these best practices can guide you how to reduce your exposure to web-based threats, without limiting your users’ access to web content that they need.
- Allowed applications include not only the applications you provision and administer for business and infrastructure purposes, but also the applications that your users need to get their jobs done and applications you might want to allow for personal use.After you’ve identified these sanctioned applications, you can use URL Filtering to control and secure all the web activity that is not on the allow list.
- Get visibility in to your users web activity so you can plan the most effective URL Filtering policy for your organization, and roll it out smoothly. This includes:
- Starting with a (mostly) passive URL Filtering profile that alerts on URL categories. This gives you visibility into the sites your users are accessing, so you can decide what you want to allow, limit, and block.
- Monitoring web activity to assess the sites your users are accessing and see how they align with your business needs.
- Block URL categories that classify malicious and exploitive web content. While we know that these categories are dangerous, always keep in mind that the URL categories that you decide to block might depend on your business needs.
- Use URL categories to phase-in decryption, and to exclude sensitive or personal information (like financial-services and health-and-medicine) from decryption.Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL Categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. In both cases, decrypt a few URL Categories, listen to user feedback, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL Categories, and so on. Plan to make decryption exclusions to exclude sites from decryption if you can’t decrypt them for technical reasons or because you choose not to decrypt them.
- Prevent credential theft by enabling the firewall to detect corporate credential submissions to sites, and then control those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate and sanctioned sites.
- The web content that you sanction and the malicious URL categories that you block outright are just one portion of your overall web traffic. The rest of the content your users are accessing is a combination of benign (low-risk) and risky content (high-risk and medium-risk). High-risk and medium-risk content is not confirmed malicious but is closely associated with malicious sites. For example, a high-risk URL might be on the same domain as a malicious site, or maybe it hosted malicious content in the past.However, many sites that pose a risk to your organization also provide valuable resources and services to your users (cloud storage services are a good example). While these resources and services are necessary for business, they are also more likely to be used as part of a cyberattack. Here’s how to control how users interact with this potentially-dangerous content, while still providing them a good user experience:
- In a URL Filtering profile, set the high-risk and medium-risk categories tocontinueto display a response page that warns users they’re visiting a potentially-dangerous site. Advise them how to take precautions if they decide to continue to the site. If you don’t want to prompt users with a response page, alert on the high-risk and medium-risk categories instead.
- Schools or educational institutions should use safe search enforcement to make sure that search engines filter out adult images and videos from search results. You can even transparently enable safe search for users.
- Enable the firewall to hold an initial web request as it looks up a website’s URL category with PAN-DB.When a user visits a website, a firewall with URL Filtering enabled checks its local cache of URL categories to categorize the site. If the firewall doesn’t find the URL’s category in the cache, it performs a lookup in PAN-DB, the Palo Alto Networks URL database. By default, the firewall allows the user’s web request during this cloud lookup and enforces policy when the server responds.But when you choose to hold web requests, the firewall blocks the request until it either finds the URL category or times out. If the lookup times out, the firewall considers the URL category not-resolved.
- In, check the box forDeviceSetupContent-IDHold client request for category lookup.
Recommended For You
Recommended videos not found.