Device > Setup > Content-ID
Configure the Content-ID settings on your firewall.
Content-ID™ tab to define settings for URL filtering, data protection, and container pages.
Dynamic URL Cache Timeout
Editand enter the timeout in hours. This value is used in dynamic URL filtering to determine the length of time an entry remains in the cache after it is returned from the URL filtering service. This option is applicable to URL filtering using the BrightCloud database only. For more on URL filtering, select Objects > Security Profiles > URL Filtering.
URL Continue Timeout
Specify the interval following a user's
Continueaction before the user must press continue again for URLs in the same category (range is 1 to 86,400 minutes; default is 15).
URL Admin Override Timeout
Specify the interval after the user enters the
Admin Overridepassword before the user must re-enter that password for URLs in the same category (range is 1 to 86,400 minutes; default is 15).
Hold Client Request for Category Lookup
Enable this option to specify that when the firewall cannot find category information for a URL in its local cache, it holds the web request as it queries PAN-DB.
Category Lookup Timeout (sec)
Specify the amount of time, in seconds, that the firewall will try to look up the category for a URL before determining that the category is
not-resolved(range is 1 to 60 seconds; default is 2).
URL Admin Lockout Timeout
Specify the period of time that a user is locked out from attempting to use the URL Admin Override password after three unsuccessful attempts (range is 1 to 86,400 minutes; default is 30).
Required for connecting to a private PAN-DB server)
Specify the IPv4 address, IPv6 address, or FQDN for the private PAN-DB servers on your network. You can add up to 20 entries.
The firewall connects to the public PAN-DB cloud by default. The private PAN-DB solution is for enterprises that do not allow firewalls to directly access the PAN-DB servers in the public cloud. The firewalls access the servers included in this PAN-DB server list for the URL database, URL updates, and URL lookups for categorizing web pages.
URL Admin Override
Settings for URL Admin Override
For each virtual system that you want to configure for URL admin override,
Addand specify the settings that apply when a URL filtering profile blocks a page and the
Overrideaction is specified For details, see Objects > Security Profiles > URL Filtering.
You can also
Allow Forwarding of Decrypted Content
Enable this option to configure the firewall to forward decrypted content to an outside service when port mirroring or sending WildFire® files for analysis.
Enable this option and send all unknown files in decrypted traffic to WildFire for analysis.
For a firewall with multiple virtual system (multi-vsys) capability, you enable this option individually for each virtual system. Select
and select the virtual system on which you want to enable forwarding of decrypted content. This option is available in the Virtual System dialog.
Extended Packet Capture Length
Set the number of packets to capture when the extended-capture option is enabled in Anti-Spyware and Vulnerability Protection profiles (range is 1 to 50; default is 5).
Forward Segments Exceeding TCP App-ID™ Inspection Queue
Enable this option to forward segments and classify the application as
unknown-tcpwhen the App-ID queue exceeds the 64-segment limit. Use the following global counter to view the number of segments in excess of this queue regardless of whether you enabled or disabled this option:
Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID inspection when the App-ID inspection queue is full.
This option is disabled by default and you should leave it disabled for maximum security.
When you disable this option, you may notice increased latency on streams where more than 64 segments were queued awaiting App-ID processing.
Forward Segments Exceeding TCP Content Inspection Queue
Enable this option to forward TCP segments and skip content inspection when the TCP content inspection queue is full. The firewall can queue up to 64 segments while waiting for the content engine. When the firewall forwards a segment and skips content inspection due to a full content inspection queue, it increments the following global counter:
Disable this option to prevent the firewall from forwarding TCP segments and skipping content inspection when the content inspection queue is full. When you disable this option, the firewall drops any segments that exceed the queue limit and increments the following global counter:
This pair of global counters applies to both TCP and UDP packets. If, after viewing the global counters, you decide to change the setting, you can modify it from within the CLI using the following CLI command:
This option is enabled by default but Palo Alto Networks recommends that you disable this option for maximum security. However, due to TCP retransmissions for dropped traffic, disabling this option can result in performance degradation and some applications can incur loss of functionality—particularly in high-volume traffic environments.
Forward Datagrams Exceeding UDP Content Inspection Queue
Enable this option to forward UDP datagrams and skip content inspection when the UDP content inspection queue is full. The firewall can queue up to 64 datagrams while waiting for a response from the content engine. When the firewall forwards a datagram and skips content inspection due to a UDP content inspection queue overflow, it increments the following global counter:
Disable this option to prevent the firewall from forwarding datagrams and skipping content inspection when the UDP content inspection queue is full. With this option disabled, the firewall drops any datagrams that exceed the queue limit and increments the following global counter:
This pair of global counters applies to both TCP and UDP packets. If, after viewing the global counters, you decide to change the setting, you can modify it from within the CLI using the following command:
This option is enabled by default but Palo Alto Networks recommends that you disable this option for maximum security. However, due to dropped packets, disabling this option can result in performance degradation and some applications can incur loss of functionality—particularly in high-volume traffic environments.
Allow HTTP partial response
Enable this HTTP partial response option to enable a client to fetch only part of a file. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with an RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session while, at the same time, allows the web browser to reassemble the file and deliver the malicious content; to prevent this, make sure to disable this option.
Allow HTTP partial responseis enabled but Palo Alto Networks recommends that you disable this option for maximum security. Disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired. In addition, disabling this option can impact streaming media services, such as Netflix, Microsoft Updates, and Palo Alto Networks content updates.
Real-Time Signature Lookup
DNS Signature Lookup Timeout (ms)
Specify the duration of time, in milliseconds, for the firewall to query the DNS Security service. If the cloud does not respond before the end of the specified period, the firewall releases the associated DNS response to the requesting client (range is 0 to 60,000; default is 80).
Use X-Forwarded-For Header in User-ID
Enable this option to specify that User-ID reads IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when the firewall is deployed between the internet and a proxy server that would otherwise hide client IP addresses. User-ID matches the IP addresses it reads with usernames that your policies reference so that those policies can control and log access for the associated users and groups. If the header has multiple IP addresses, User-ID uses the first entry from the left.
In some cases, the header value is a character string instead of an IP address. If the string matches a username that User-ID mapped to an IP address, the firewall uses that username for group mapping references in policies. If no IP address-mapping exists for the string, the firewall invokes the policy rules in which the source user is set to
URL Filtering logs display the matched usernames in the Source User field. If User-ID cannot perform the matching or is not enabled for the zone associated with the IP address, the Source User field displays the XFF IP address with the prefix
Enable using the XFF header in User-ID so that the original client IP address appears in the logs to help you when you need to investigate an issue.
Enable this option to remove the X-Forwarded-For (XFF) header, which contains the IP address of a client requesting a web service when the firewall is deployed between the internet and a proxy server. The firewall zeroes out the header value before forwarding the request: the forwarded packets don’t contain internal source IP information.
Enabling this option does not disable the use of XFF headers for user attribution in policies; the firewall zeroes out the XFF value only after using it for user attribution.
When you enable the use of XFF headers in User-ID, also enable stripping the XFF header before forwarding the packet to protect user privacy without losing the ability to track users. Enabling both options allows you to log and track original user IP addresses while at the same time protecting user privacy by not forwarding their original IP address.
Manage Data Protection
Add additional protection for access to logs that may contain sensitive information, such as credit card or social security numbers.
Manage Data Protectionto perform the following tasks:
Use these settings to specify the types of URLs that the firewall will track or log based on content type, such as application/pdf, application/soap+xml, application/xhtml+, text/html, text/plain, and text/xml. Container pages are set per virtual system, which you select from the
Locationdrop-down. If a virtual system does not have an explicit container page defined, the firewall uses the default content types.
Addand enter a content type or select an existing content type.
Adding new content types for a virtual system overrides the default list of content types. If there are no content types associated with a virtual system, the default list of content types is used.
Recommended For You
Recommended videos not found.