06-19-2013 10:39 AM
Hi,
there are two ways to select which URL categories should be allowed/blocked: You can either create a URL-Filtering profile and attach it to firewall rules, or you can specify URL-categories directly in the firewall rule (destination).
Specifying URL categories directly in the firewall rule seems to have the advantage that you can immediately see which categories you allow/block directly in the rulebase, without looking into the profiles. Then again, using profiles seems to have the advantage that you can specify more actions (override, alarm etc.).
What's the general approach here? Why would you choose one over the other?
And what would happen if I would combine both approaches? e.g. Specify some destination URL categories in a firewall block rule and then add a profile that allows and logs all categories? Which takes precedence? Is it even possible to combine in such a way?
Thanks for your thoughts!
06-19-2013 11:16 AM
I almost always use the Security Profiles when it comes to URL filtering enforcement.
I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked. I believe the firewall treats this like a regular traffic drop. That's liable to generate more support calls as the users don't know why something isn't working.
The only time I have used URL Categories directly in a rule is when you want to use different Security Profiles that are based on the URL Category. Here's a good example:
Let's say your organization has a URL filtering profile that allows these two URL categories:
- computers-and-internet-info
- games
However, you wish to block all .EXE downloads from the games category. In order to do this, you create two firewall rules:
from trust to untrust, application=web-browsing, URL_Category=games, action=allow
- SecurityProfile / File Blocking / Block EXE files
- SecurityProfile / URL Filtering / Company_URL_Profile
from trust to untrust, application=web-browsing, URL_Category=any, action=allow
- SecurityProfile / File Blocking / Permit&Log
- SecurityProfile / URL Filtering / Company_URL_Profile
This way if you go to a games website, and download an EXE, it'll get blocked based on the first rule. If you're surfing to any other allowed URL category, then your traffic matches against the 2nd rule, which permits & logs EXE downloads.
In the first rule, you're not technically using the Company_URL_Profile for enforcement, as no other URL categories will be matched by that rule. However, if you wish to have the gaming URLs logged, then you need to attach the URL Filtering profile - this profile would need games=alert in order for those URLs to be logged.
That's the only time I've used the URL Category in the rule itself - when I've needed to use different security profiles on a per-URL-category-basis.
06-19-2013 10:57 AM
you can use url filtering profiles with allow/block list option, can take different actions for different categories, logged in url filtering log
you can user url category only pre-defined category or custom, logged as security log(if enabled),can be used with security policies,qos,decryption or captive portal
06-19-2013 11:16 AM
I almost always use the Security Profiles when it comes to URL filtering enforcement.
I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked. I believe the firewall treats this like a regular traffic drop. That's liable to generate more support calls as the users don't know why something isn't working.
The only time I have used URL Categories directly in a rule is when you want to use different Security Profiles that are based on the URL Category. Here's a good example:
Let's say your organization has a URL filtering profile that allows these two URL categories:
- computers-and-internet-info
- games
However, you wish to block all .EXE downloads from the games category. In order to do this, you create two firewall rules:
from trust to untrust, application=web-browsing, URL_Category=games, action=allow
- SecurityProfile / File Blocking / Block EXE files
- SecurityProfile / URL Filtering / Company_URL_Profile
from trust to untrust, application=web-browsing, URL_Category=any, action=allow
- SecurityProfile / File Blocking / Permit&Log
- SecurityProfile / URL Filtering / Company_URL_Profile
This way if you go to a games website, and download an EXE, it'll get blocked based on the first rule. If you're surfing to any other allowed URL category, then your traffic matches against the 2nd rule, which permits & logs EXE downloads.
In the first rule, you're not technically using the Company_URL_Profile for enforcement, as no other URL categories will be matched by that rule. However, if you wish to have the gaming URLs logged, then you need to attach the URL Filtering profile - this profile would need games=alert in order for those URLs to be logged.
That's the only time I've used the URL Category in the rule itself - when I've needed to use different security profiles on a per-URL-category-basis.
06-19-2013 11:54 AM
Thanks. Can you rephrase your second sentence? I am not quite getting it 
06-19-2013 11:56 AM
Thanks, jvalentine. Good point about no proper response pages when using categories in a block rule directly. Is this verified?
As for the rest of you response: Great, thanks. That helped a lot.
06-19-2013 01:19 PM
JValentine is correct. When you use a URL category in your security rule (as opposed to a URL filtering profile), the only actions you have are allow or block. So if you want to log and/or use a custom response page (block page, continue page, override), you will need to use a URL filtering profile.
06-19-2013 04:30 PM
Edited to read: I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked.
06-20-2013 12:54 AM
Oh I understood your second sentence, jvalentine. My reply about not quite getting it was directed at panos (first reply in the thread).
Thanks everyone. I get it now. I am going to use profiles.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
