91
386 • PAN-OS 6.1 Administrator’s Guide
© Palo Alto Networks, Inc.
Enable a URL Filtering Vendor
URL Filtering
Enable PAN-DB URL Filtering
Enable PAN-DB URL Filtering
Step 1 Obtain and install a PAN-DB URL
filtering license and confirm that it is
installed.
If the license expires, PAN-DB
URL filtering continues to work
based on the URL category
information that exists in the
dataplane and management plane
caches. However, URL cloud
lookups and other cloud-based
updates will not function until you
install a valid license.
1. Select
Device > Licenses
and, in the
License Management
section, select the license installation method:
•
Activate feature using authorization code
•
Retrieve license keys from license server
•
Manually upload license key
2. After installing the license, confirm that the PAN-DB URL
Filtering section,
Date Expires
field, displays a valid date.
Step 2 Download the initial seed database and
activate PAN-DB URL filtering.
The firewall must have Internet
access; you cannot manually
upload the PAN-DB.
1. In the PAN-DB URL Filtering section,
Download Status
field,
click
Download Now
.
2. Choose a region (North America, Europe, APAC, Japan) and
then click
OK
to start the download.
3. After the download completes, click
Activate
.
If PAN-DB is already the active URL filtering vendor
and you click
Re-Download
, this will reactivate
PAN-DB by clearing the dataplane and management
plane caches and replacing them with the contents of
the new seed database. You should avoid doing this
unless it is necessary, as you will lose your cache, which
is customized based on the web traffic that has
previously passed through the firewall based on user
activity.
Step 3 Schedule the firewall to download
dynamic updates for Applications and
Threats.
A Threat Prevention license is
required to receive content
updates, which covers Antivirus
and Applications and Threats.
1. Select
Device > Dynamic Updates
.
2. In the Schedule field in the Applications and Threats section,
click the
None
link to schedule periodic updates.
You can only schedule dynamic updates if the firewall
has direct Internet access.If updates are already
scheduled in a section, the link text displays the schedule
settings.
The Applications and Threats updates might contain updates
for URL filtering related to the
Safe Search Enforcement
option in the URL filtering profile (
Objects > Security Profiles
> URL Filtering
). For example, if Palo Alto Networks adds
support for a new search provider vendor or if the method used
to detect the Safe Search setting for an existing vendor changes,
the Application and Threats updates will include that update.
Copyright © 2007-2015 Palo Alto Networks
108
© Palo Alto Networks, Inc.
PAN-OS 6.1 Administrator’s Guide • 387
URL Filtering
Enable a URL Filtering Vendor
Enable BrightCloud URL Filtering
Enable BrightCloud URL Filtering
Step 1 Obtain and install a BrightCloud URL
filtering license and confirm that it is
installed.
BrightCloud has an option in the
URL filtering profile (
Objects >
Security Profiles > URL
Filtering
) to either allow all
categories or block all categories if
the license expires.
1. Select
Device > Licenses
and, in the
License Management
section, select the license installation method:
•
Activate feature using authorization code
•
Retrieve license keys from license server
•
Manually upload license key
2. After installing the license, confirm that the BrightCloud URL
Filtering section,
Date Expires
field, displays a valid date.
Step 2 Install the BrightCloud database.
The way you do this depends on whether
or not the firewall has direct Internet
access.
Firewall with Direct Internet Access
In the
Device > Licenses
page, BrightCloud URL Filtering section,
Active field, click the
Activate
link to install the BrightCloud
database. This operation automatically initiates a system reset.
Firewall without Direct Internet Access
1. Download the BrightCloud database to a host that has Internet
access. The firewall must have access to the host:
a. On a host with Internet access, go to the Palo Alto Support
website (https://support.paloaltonetworks.com) and log in.
b. In the Resources section, click
Dynamic Updates
.
c. In the BrightCloud Database section, click
Download
and
save the file to the host.
2. Upload the database to the firewall:
a. Log in to the firewall, select
Device > Dynamic Updates
and
click
Upload
.
b. For the
Type
, select
URL Filtering
.
c. Enter the path to the
File
on the host or click
Browse
to find
it, then click
OK
. When the Status is Completed, click
Close
.
3. Install the database:
a. In the
Device > Dynamic Updates
page, c
lick
Install From
File
.
b. For the
Type
, select
URL Filtering
. The firewall
automatically selects the file you just uploaded.
c. Click
OK
and, when the Result is Succeeded, click
Close
.
Step 3 Enable cloud lookups for dynamically
categorizing a URL if the category is not
available on the local BrightCloud
database.
1. Access the firewall CLI.
2. Enter the following commands to enable dynamic URL
filtering:
configure
set deviceconfig setting url dynamic-url yes
commit
Copyright © 2007-2015 Palo Alto Networks
44
388 • PAN-OS 6.1 Administrator’s Guide
© Palo Alto Networks, Inc.
Enable a URL Filtering Vendor
URL Filtering
Step 4 Schedule the firewall to download
dynamic updates for Applications and
Threats signatures and URL filtering.
You can only schedule dynamic updates if
the firewall has direct Internet access.
The Applications and Threats updates
might contain updates for URL filtering
related to the
Safe Search Enforcement
option in the URL filtering profile. For
example, if Palo Alto Networks adds
support for a new search provider vendor
or if the method used to detect the Safe
Search setting for an existing vendor
changes, the Application and Threats
updates will include that update.
BrightCloud updates include a database
of approximately 20 million websites that
are stored on the firewall drive. You must
schedule the URL filtering updates to
receive database updates.
A Threat Prevention license is
required to receive content
updates, which covers Antivirus
and Applications and Threats.
1. Select
Device > Dynamic Updates
.
2. In the Applications and Threats section, Schedule field, click
the
None
link to schedule periodic updates.
3. In the URL Filtering section, Schedule field, click the
None
link
to schedule periodic updates.
If updates are already scheduled in a section, the link
text displays the schedule settings.
Enable BrightCloud URL Filtering (Continued)
Copyright © 2007-2015 Palo Alto Networks
92
© Palo Alto Networks, Inc.
PAN-OS 6.1 Administrator’s Guide • 389
URL Filtering
Determine URL Filtering Policy Requirements
Determine URL Filtering Policy Requirements
The recommended practice for deploying URL filtering in your organization is to first start with a passive URL
filtering profile that will alert on most categories. After setting the alert action, you can then monitor user web
activity for a few days to determine patterns in web traffic. After doing so, you can then make decisions on the
websites and website categories that should be controlled.
In the procedure that follows, threat-prone sites will be set to block and the other categories will be set to alert,
which will cause all websites traffic to be logged. This may potentially create a large amount of log files, so it is
best to do this for initial monitoring purposes to determine the types of websites your users are accessing. After
determining the categories that your company approves of, those categories should then be set to allow, which
will not generate logs. You can also reduce URL filtering logs by enabling the
Log container page only
option in
the URL Filtering profile, so only the main page that matches the category will be logged, not subsequent
pages/categories that may be loaded within the container page.
Configure and Apply a Passive URL Filtering Profile
Step 1 Create a new URL Filtering profile.
1. Select
Objects > Security Profiles >
URL Filtering
.
2. Select the default profile and then click
Clone
. The new profile
will be named
default-1
.
3. Select the
default-1
profile and rename it. For example, rename
it to URL-Monitoring.
Step 2 Configure the action for all categories to
alert
, except for threat-prone categories,
which should remain blocked.
To select all items in the category
list from a Windows system, click
the first category, then hold down
the shift key and click the last
category—this will select all
categories. Hold the control key
(ctrl) down and click items that
should be deselected. On a Mac,
do the same using the shift and
command keys. You could also
just set all categories to alert and
manually change the
recommended categories back to
block.
1. In the section that lists all URL categories, select all categories.
2. To the right of the Action column heading, mouse over and
select the down arrow and then select
Set Selected Actions
and
choose
alert
.
3. To ensure that you block access to threat-prone sites, select the
following categories and then set the action to
block
:
abused-drugs, adult, gambling, hacking, malware. phishing,
questionable, weapons.
4. Click
OK
to save the profile.
Step 3 Apply the URL Filtering profile to the
security policy rule(s) that allows web
traffic for users.
1. Select
Policies > Security
and select the appropriate security
policy to modify it.
2. Select the
Actions
tab and in the
Profile Setting
section, click
the drop-down for
URL Filtering
and select the new profile.
3. Click
OK
to save.
Step 4 Save the configuration.
Click
Commit
.
Copyright © 2007-2015 Palo Alto Networks
21
390 • PAN-OS 6.1 Administrator’s Guide
© Palo Alto Networks, Inc.
Determine URL Filtering Policy Requirements
URL Filtering
Step 5 View the URL filtering logs to determine
all of the website categories that your
users are accessing. In this example, some
categories are set to block, so those
categories will also appear in the logs.
For information on viewing the logs and
generating reports, see Monitor Web
Activity.
Select
Monitor > Logs > URL Filtering
. A log entry will be created
for any website that exists in the URL filtering database that is in a
category that is set to any action other than
allow
.
Configure and Apply a Passive URL Filtering Profile (Continued)
Copyright © 2007-2015 Palo Alto Networks
26
© Palo Alto Networks, Inc.
PAN-OS 6.1 Administrator’s Guide • 391
URL Filtering
Monitor Web Activity
Monitor Web Activity
URL filtering logs and reports show all user web activity for URL categories that are set to
alert
,
block
,
continue
,
or
override
. By monitoring the logs, you can gain a better understanding of the web activity of your user base to
determine a web access policy.
The following topics describe how to monitor web activity:
Interpret the URL Filtering Logs
Use the ACC to Monitor Web Activity
View URL Filtering Reports
Configure Custom URL Filtering Reports
Copyright © 2007-2015 Palo Alto Networks
22
392 • PAN-OS 6.1 Administrator’s Guide
© Palo Alto Networks, Inc.
Monitor Web Activity
URL Filtering
Interpret the URL Filtering Logs
The following bullet points show examples of the URL filtering logs (
Monitor > Logs > URL filtering
).
Alert log—In this log, the category is shopping and the action is alert.
Block log—In this log, the category alcohol-and-tobacco was set to block, so the action is block-url and the
user will see a response page indicating that the website was blocked.
Alert log on encrypted website—In this example, the category is social-networking and the application is
facebook-base, which is required to access the Facebook website and other Facebook applications. Because
faceboook.com is always encrypted using SSL, the traffic was decrypted by the firewall, which allows the
website to be recognized and controlled if needed.
You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type,
and whether or not a packet capture was performed. To modify what columns to display, click the down arrow
in any column and select the attribute to display.
Copyright © 2007-2015 Palo Alto Networks
7
© Palo Alto Networks, Inc.
PAN-OS 6.1 Administrator’s Guide • 393
URL Filtering
Monitor Web Activity
To view the complete log details and/or request a category change for the given URL that was accessed, click
the log details icon in the first column of the log.
Copyright © 2007-2015 Palo Alto Networks
17
394 • PAN-OS 6.1 Administrator’s Guide
© Palo Alto Networks, Inc.
Monitor Web Activity
URL Filtering
Use the ACC to Monitor Web Activity
For a quick view of the most common categories being accessed in your environment, select the
ACC
tab and
scroll down to the
URL Filtering
section. Along the top of this window, you can also set the time range, sort by
option, and define how many results will appear. Here you will see the most popular categories that are accessed
by your users, sorted by the most popular at the top of the list. In this example, computer-and-internet-info is
the most accessed category, followed by private-ip-addresses (internal servers), and search-engines. In the
drop-down in the upper right of the statistics, you can also choose to list by URL Categories, Blocked URL
Categories, and Blocked URLs.
Copyright © 2007-2015 Palo Alto Networks
Documents you may be interested
Documents you may be interested
