| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:url_filtering [2020/06/03 19:15] – bstafford | paloaltonetworks:configuration:url_filtering [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| ====== PAN-OS URL Filtering ====== | ====== PAN-OS URL Filtering ====== |
| ===== Multi-Category URL Filtering ===== | ===== Multi-Category URL Filtering ===== |
| | Remember, if you manually whitelist a site, any specific sub-pages that are normally classed as malware will be allowed through (even though the list of categories will mark it as cust-list, malware). |
| | |
| PAN-OS 9.0 introduced multi-category URL Filtering. | PAN-OS 9.0 introduced multi-category URL Filtering. |
| |
| |
| [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfmCAG|Here]] is a really nice KB article on multi-category URL Filtering. | [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfmCAG|Here]] is a really nice KB article on multi-category URL Filtering. |
| | |
| | ===== Test All Categories ===== |
| | Here is a simple Linux script to test all categories. I think (I've not tried it) that on Windows you need to replace ''/dev/null'' with ''NUL'' (CMD) or ''$null'' (PowerShell) |
| | <code>curl http://urlfiltering.paloaltonetworks.com/test-grayware > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-malware > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-phishing > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-command-and-control > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-abortion > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-abused-drugs > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-adult > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-alcohol-and-tobacco > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-auctions > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-business-and-economy > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-computer-and-internet-info > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-content-delivery-networks > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-copyright-infringement > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-cryptocurrency > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-dating > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-dynamic-dns > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-educational-institutions > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-entertainment-and-arts > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-extremism > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-financial-services > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-gambling > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-games > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-government > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-hacking > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-health-and-medicine > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-home-and-garden > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-hunting-and-fishing > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-insufficient-content > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-internet-communications-and-telephony > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-internet-portals > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-job-search > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-legal > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-military > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-motor-vehicles > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-music > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-news > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-nudity > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-online-storage-and-backup > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-parked > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-peer-to-peer > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-personal-sites-and-blogs > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-philosophy-and-political-advocacy > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-private-ip-addresses > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-questionable > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-real-estate > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-reference-and-research > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-religion > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-search-engines > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-sex-education > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-shareware-and-freeware > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-shopping > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-social-networking > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-society > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-sports > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-stock-advice-and-tools > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-streaming-media > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-swimsuits-and-intimate-apparel > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-training-and-tools > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-translation > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-travel > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-unknown > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-weapons > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-web-advertisements > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-web-hosting > /dev/null |
| | curl http://urlfiltering.paloaltonetworks.com/test-web-based-email > /dev/null</code> |
| |
| ===== Serve a URL Response Page Over an HTTPS Session Without SSL Decryption ===== | ===== Serve a URL Response Page Over an HTTPS Session Without SSL Decryption ===== |
| <code>set deviceconfig setting ssl-decrypt url-proxy yes</code> | <code>set deviceconfig setting ssl-decrypt url-proxy yes</code> |
| Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed). | Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed). |
| | |
| | You can check a configuration to see if this is set by searching for <code><url-proxy>yes</url-proxy></code> |
| =====Continue and Override Logging===== | =====Continue and Override Logging===== |
| When a ''continue'' page is displayed, a log with action ''block-continue'' will be created. If the user clicks ''continue'', a log with action ''continue<'' will be created. | When a ''continue'' page is displayed, a log with action ''block-continue'' will be created. If the user clicks ''continue'', a log with action ''continue<'' will be created. |
| <code>set deviceconfig setting ctd hold-client-request yes</code> | <code>set deviceconfig setting ctd hold-client-request yes</code> |
| <code>commit</code> | <code>commit</code> |
| | =====Allow Specific Pages on Domain===== |
| | Sometimes you want to block a domain but allow specific pages. Let's use YouTube as an example. |
| | If you have a custom profile 'whitelist' and a custom profile 'blacklist' and they both contain '*.youtube.com', you will find that block takes prescendence over allow/alert. If you put 'www.youtube.com/watch?v=4lm75v4Ndlg' into the whitelist, you will find the block list still take prescendence over it. |
| | |
| | To allow the traffic, you need to create a rule that uses 'whitelist' in the match criteria of the rule and then just 'alerts' (or, at least, doesn't block the blacklist). |
| | |
| =====Enable Specific YouTube Videos Only===== | =====Enable Specific YouTube Videos Only===== |
| See [[https://live.paloaltonetworks.com/t5/minemeld-articles/minemeld-to-filter-youtube-videos/ta-p/164928|this link]]. | See [[https://live.paloaltonetworks.com/t5/minemeld-articles/minemeld-to-filter-youtube-videos/ta-p/164928|this link]]. |
| =====Test URL Filtering===== | =====Test URL Filtering===== |
| |
| ^ Category ^ Test over HTTP ^ Test over HTTPS^ | Another [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS|test page]]. |
| | |
| | ^ Category ^ Test over HTTP ^ Test over HTTPS ^ |
| | |low-risk|[[http://urlfiltering.paloaltonetworks.com/test-low-risk|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-low-risk|Test Over SSL]]| |
| | |medium-risk|[[http://urlfiltering.paloaltonetworks.com/test-medium-risk|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-medium-risk|Test Over SSL]]| |
| | |high-risk|[[http://urlfiltering.paloaltonetworks.com/test-high-risk|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-high-risk|Test Over SSL]]| |
| |abortion|[[http://urlfiltering.paloaltonetworks.com/test-abortion|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-abortion|Test Over SSL]]| | |abortion|[[http://urlfiltering.paloaltonetworks.com/test-abortion|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-abortion|Test Over SSL]]| |
| |abused-drugs|[[http://urlfiltering.paloaltonetworks.com/test-abused-drugs|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-abused-drugs|Test Over SSL]]| | |abused-drugs|[[http://urlfiltering.paloaltonetworks.com/test-abused-drugs|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-abused-drugs|Test Over SSL]]| |
| |proxy-avoidance-and-anonymizers|[[http://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers|Test Over SSL]]| | |proxy-avoidance-and-anonymizers|[[http://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers|Test Over SSL]]| |
| |questionable|[[http://urlfiltering.paloaltonetworks.com/test-questionable|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-questionable|Test Over SSL]]| | |questionable|[[http://urlfiltering.paloaltonetworks.com/test-questionable|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-questionable|Test Over SSL]]| |
| | |ransomware|[[http://urlfiltering.paloaltonetworks.com/test-ransomware|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-ransomware|Test Over SSL]]| |
| |real-estate|[[http://urlfiltering.paloaltonetworks.com/test-real-estate|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-estate|Test Over SSL]]| | |real-estate|[[http://urlfiltering.paloaltonetworks.com/test-real-estate|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-estate|Test Over SSL]]| |
| |recreation-and-hobbies|[[http://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies|Test Over SSL]]| | |recreation-and-hobbies|[[http://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies|Test Over SSL]]| |
| |web-based-email|[[http://urlfiltering.paloaltonetworks.com/test-web-based-email|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-web-based-email|Test Over SSL]]| | |web-based-email|[[http://urlfiltering.paloaltonetworks.com/test-web-based-email|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-web-based-email|Test Over SSL]]| |
| |web-hosting|[[http://urlfiltering.paloaltonetworks.com/test-web-hosting|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-web-hosting|Test Over SSL]]| | |web-hosting|[[http://urlfiltering.paloaltonetworks.com/test-web-hosting|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-web-hosting|Test Over SSL]]| |
| | |test-real-time-detection-command-and-control|[[http://urlfiltering.paloaltonetworks.com/test-real-time-detection-command-and-control|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-time-detection-command-and-control|Test Over SSL]]| |
| | |test-real-time-detection-malware|[[http://urlfiltering.paloaltonetworks.com/test-real-time-detection-malware|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-time-detection-malware|Test Over SSL]]| |
| | |test-real-time-detection-phishing|[[http://urlfiltering.paloaltonetworks.com/test-real-time-detection-phishing|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-time-detection-phishing|Test Over SSL]]| |
| | |test-real-time-detection-grayware|[[http://urlfiltering.paloaltonetworks.com/test-real-time-detection-grayware|Test Unencrypted]]|[[https://urlfiltering.paloaltonetworks.com/test-real-time-detection-grayware|Test Over SSL]]| |
