topic Re: URL filtering in General Topics

URL filtering

jdprovine — Mon, 24 Aug 2015 19:38:05 GMT

Who is using URL filtering? Is it worth the added cost? Is there any way to do it without the license?

Re: URL filtering

Brandon_Wertz — Mon, 24 Aug 2015 21:04:59 GMT

The short answer is probably yes it's worth it.

What's the size of your company?

Do you have an HR policy that requires you to restrict "offensive" content?

Do you implicitly trust the Threat (subscription) service intelligence?

Do you implictly trust the Wild-Fire (can be a subscription) service intelligence?

The Palo URL Filtering service isn't as good as I had hopped it would be, but it still does a good job. Until recently PAN-DB categorized www.funnyordie.com as "Questionable". It was a battle with the URL team to get them to categorize it as something other than Questionable. It took > 5 days through a TAC case after 2 separate auto-categorization requests that were initially denied.

For the most part, especially as it relates to malware getting site recategorized are a pain, but things seem to be improving.

What benefit are you looking to get?

Re: URL filtering

jdprovine — Tue, 25 Aug 2015 13:26:55 GMT

I work at a college of 5000 and we are looking to keep the network safe from breaches more than anything. We are currently using the threat prevention subscription and have benefitted a lot from it, but the price of these subscriptions are outrageous. I do not know if there is a HR policy restricting offensive content and how offensive content would be described. We do not have wild fire and at this point I don't see a need for it in our environment.

Re: URL filtering

Brandon_Wertz — Tue, 25 Aug 2015 20:27:45 GMT

Easy stuff first...

Eventhough you don't purchase the WF subscription you can still benefit from it. I'm not certain the timelines, when items deamed "malware" get included into to "Threats" if at all, but even w/o a WF subscription you're still allowed to send files to the WF cloud. You just only get sig updates ever 24-hrs vice every 30 minutes.

As to URL subscriptions. With it you'd be able to deny users/students from accessing gambling, pronography, hate type sites. Those would be the ones that i would classify as an "Offensive" nature. Then there's Anonymizers, drugs, hacking, malware, phishing, and "parked" type sites that URL filtering would provide restrictions on.

For our network we get thousands of hits to "malware," but that includes guest IP space. Being able to block "parked" domains are good because they're typically used by hackers as those domains typically have no relavant INet traffic except as an infection source.

Re: URL filtering

jdprovine — Wed, 26 Aug 2015 20:15:27 GMT

How do you do the wild fire that doesn't require the subscription? Yeah I am aware of what filtering would give us I just don't think I should have to pay for it as a subscription and such a high priced subscription I was hoping there was a cheaper way to do it.

I don't know what a parked domain is and what the benefits of blocking it would be.

Re: URL filtering

OtakarKlier — Wed, 26 Aug 2015 22:50:22 GMT

To configure Wildfire, just do as the documents say. The only thing you dont get by not having the license is the quick turnaround on file detonations and also you wont get updates every 15 minutes (or so).

The base wildfire is already part of the threat license, the additional license gets you the same thing except quicker.

https://live.paloaltonetworks.com/t5/Articles/Wildfire-Configuration-Testing-and-Monitoring/ta-p/57722

As for the descriptions for the URL filtering module, here is an article I use frequently for the executives to use to tell me what to block.

https://urlfiltering.paloaltonetworks.com/CategoryList.aspx

Hope this help!

Re: URL filtering

jdprovine — Fri, 28 Aug 2015 18:51:37 GMT

I followed the documents but it is failing to register to the wildfire server using wildfire-default-cloud is this the correct one for the service without the subscription

Re: URL filtering

OtakarKlier — Fri, 28 Aug 2015 20:06:49 GMT

Hello,

Yes that is the same one. Check your logs to see if you maybe blocking the traffic? If you are not blocking the traffic, then it could be a registration issue, I had one and they had to dig deep to figure it out. To check this follow the steps in the testing area of this link, https://live.paloaltonetworks.com/t5/Articles/Wildfire-Configuration-Testing-and-Monitoring/ta-p/57722

Mine tested registration just fine, but then showed it wasnt registered in the status section. If that is the case, you have to open a case with support.

Regards,

Re: URL filtering

jdprovine — Fri, 28 Aug 2015 21:12:31 GMT

Yeah I will probably get on the phone with support and see if they can find the issue.