topic URL-Filtering: Use profiles or specify categories in rules? in General Topics

URL-Filtering: Use profiles or specify categories in rules?

cryptochrome — Wed, 19 Jun 2013 17:39:41 GMT

Hi,

there are two ways to select which URL categories should be allowed/blocked: You can either create a URL-Filtering profile and attach it to firewall rules, or you can specify URL-categories directly in the firewall rule (destination).

Specifying URL categories directly in the firewall rule seems to have the advantage that you can immediately see which categories you allow/block directly in the rulebase, without looking into the profiles. Then again, using profiles seems to have the advantage that you can specify more actions (override, alarm etc.).

What's the general approach here? Why would you choose one over the other?

And what would happen if I would combine both approaches? e.g. Specify some destination URL categories in a firewall block rule and then add a profile that allows and logs all categories? Which takes precedence? Is it even possible to combine in such a way?

Thanks for your thoughts!

Re: URL-Filtering: Use profiles or specify categories in rules?

Retired Member — Wed, 19 Jun 2013 17:57:23 GMT

you can use url filtering profiles with allow/block list option, can take different actions for different categories, logged in url filtering log

you can user url category only pre-defined category or custom, logged as security log(if enabled),can be used with security policies,qos,decryption or captive portal

Re: URL-Filtering: Use profiles or specify categories in rules?

jvalentine — Wed, 19 Jun 2013 18:16:01 GMT

I almost always use the Security Profiles when it comes to URL filtering enforcement.

I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked. I believe the firewall treats this like a regular traffic drop. That's liable to generate more support calls as the users don't know why something isn't working.

The only time I have used URL Categories directly in a rule is when you want to use different Security Profiles that are based on the URL Category. Here's a good example:

Let's say your organization has a URL filtering profile that allows these two URL categories:

- computers-and-internet-info

- games

However, you wish to block all .EXE downloads from the games category. In order to do this, you create two firewall rules:

from trust to untrust, application=web-browsing, URL_Category=games, action=allow

- SecurityProfile / File Blocking / Block EXE files

- SecurityProfile / URL Filtering / Company_URL_Profile

from trust to untrust, application=web-browsing, URL_Category=any, action=allow

- SecurityProfile / File Blocking / Permit&Log

- SecurityProfile / URL Filtering / Company_URL_Profile

This way if you go to a games website, and download an EXE, it'll get blocked based on the first rule. If you're surfing to any other allowed URL category, then your traffic matches against the 2nd rule, which permits & logs EXE downloads.

In the first rule, you're not technically using the Company_URL_Profile for enforcement, as no other URL categories will be matched by that rule. However, if you wish to have the gaming URLs logged, then you need to attach the URL Filtering profile - this profile would need games=alert in order for those URLs to be logged.

That's the only time I've used the URL Category in the rule itself - when I've needed to use different security profiles on a per-URL-category-basis.

Re: URL-Filtering: Use profiles or specify categories in rules?

cryptochrome — Wed, 19 Jun 2013 18:54:24 GMT

Thanks. Can you rephrase your second sentence? I am not quite getting it

Re: URL-Filtering: Use profiles or specify categories in rules?

cryptochrome — Wed, 19 Jun 2013 18:56:21 GMT

Thanks, jvalentine. Good point about no proper response pages when using categories in a block rule directly. Is this verified?

As for the rest of you response: Great, thanks. That helped a lot.

Re: URL-Filtering: Use profiles or specify categories in rules?

dyang — Wed, 19 Jun 2013 20:19:26 GMT

JValentine is correct. When you use a URL category in your security rule (as opposed to a URL filtering profile), the only actions you have are allow or block. So if you want to log and/or use a custom response page (block page, continue page, override), you will need to use a URL filtering profile.

Re: URL-Filtering: Use profiles or specify categories in rules?

jvalentine — Wed, 19 Jun 2013 23:30:54 GMT

Edited to read: I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked.

Re: URL-Filtering: Use profiles or specify categories in rules?

cryptochrome — Thu, 20 Jun 2013 07:54:42 GMT

Oh I understood your second sentence, jvalentine. My reply about not quite getting it was directed at panos (first reply in the thread).

Thanks everyone. I get it now. I am going to use profiles.