Configuring URL Filtering on Palo-Alto Firewalls

Today I am going to talk about the URL filtering concept and how we can implement the URL filtering feature in Palo-Alto Firewalls. Before we start with the implementation URL filtering on the PAN firewalls, first we need to understand what URL filtering means 

URL Filtering
With the feature set of URL filtering which permits us to control admittance to Internet websites by authorizing or rejecting admittance to unambiguous websites based on data enclosed in an URL list. We can preserve a local URL list on the router, and we can use URL lists accumulated on Secure Computing URL filter list servers.

In short, URL filtering solution permits administrator to monitor and control the users access the web over HTTP and HTTPS which is nothing but the connection to the various websites on to the internet. With the help of URL filtering we can prevent our network from phishing attacks. 

Fig 1.1- URL Filtering Profiling
What are the URL filtering categories which administrator can defined for the network ?
Below are the various methods to defined URL filtering in the network.

  • Block or permit user traffic based on URL category: We can generate a URL Filtering profile that agrees an accomplishment for each URL group and assign the profile to a policy. Traffic that matches the policy would then be subject to the URL filtering settings in the profile. For example, to block all Facebook and YouTube websites you would set the block action for the URL category social Media in the URL profile where you can defines these websites needs to be blocked.
  • Enforce policy based on URL category: If we require a precise policy rule to apply only to web traffic to sites in a particular category, use the site URL category as match criteria when you create the policy rule. For example, you could use the URL group gaming in a QoS policy to apply bandwidth controls to all websites that are categorised as gaming sites.
  • Block or allow corporate credential submissions based on URL category: Prevent Credential Phishing by permitting the firewall to sense corporate record compliances to sites, and then block or permit those compliances based on URL category. Block users from submitting authorisations to malicious and mysterious sites, warn users against entering corporate credentials on mysterious sites or warn them against reusing corporate credentials on non-corporate sites, and clearly permit users suggest credentials to corporate and endorsed sites.

How we can define URL filtering policies on PAN Firewalls ?
Before putting policies you need to understand the requirement and the categorized the websites on the basis of which sites needs to be allowed and which needs to be blocked. Once you created the set of the websites and create the database you can create the policies. 

The first step is to create the URL filtering Profile in the PAN firewalls for that you need to define the below profile in the PAN GUI interface
Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.

Now you created the URL filtering Profile, Its time to define the site access to each URL category. Select Categories and set the Site Access for each URL category:
  • Allow traffic to the URL category. Allowed traffic is not logged.
  • Select alert to have visibility into sites users are accessing. Matching traffic is allowed, but a URL Filtering log is produced to record when a user entries a site in the category.
  • Select block to deny access to traffic that matches the category and to enable logging of the blocked traffic.
  • Select continue to exhibition a page to users with a warning and need them to click Continue to proceed to a site in the category.
  • To only permit access if users specify a configured password, select override. For more details on this setting, see Allow Password Access to Certain Sites.

Now you need to design the URL Filtering profile to sense corporate credential compliances to websites that are in permissible URL categories.
  • Select User Credential Detection
  • Select any of the method under this category like “ IP user Mapping” “Domain Credential Filter” or Group Mapping.
  • Set the Valid Username Detected Log Severity the firewall uses to log detection of corporate credential submissions.

It’s time to permit or deny users from submitting corporate credentials to sites based on URL category
  • Alert: Permit users to submit credentials to the website, but generate a URL Filtering alert log each time a user submits credentials to sites in this URL category
  • Allow: Permit users to submit credentials to the website.
  • Block: Shows the Anti Phishing Block Page to block users from submitting credentials to the website.
  • Continue: Present the Anti Phishing Continue Page to oblige users to click Continue to access the site.
Now define the URL category Exception list in the firewall database to specify website that always be blocked or permitted.

Enable Safe Search Enforcement and Log only Container Pages for URL filtering events.
Select URL Filtering Settings. The Log container page only selection is permitted by default so that only the main page that equivalents the category is logged, not succeeding pages/categories that may be loaded within the container page. To permit logging for all pages/categories, clear the Log container page only check box.

Enable HTTP Header Logging for one or more of the supported HTTP header fields like User-Agent, Referer, X-Forwarded-For. After that Save the URL Filtering profile and confirm your changes by clicking ok and click commit.