topic Re: URL Categories vs URL Filtering in General Topics

URL Categories vs URL Filtering

CBeaver — Wed, 08 Sep 2021 14:37:06 GMT

Multiple questions - Recently we've found that traffic not within a URL category specified in a rule is being allowed. The rule appears to be allowing the traffic as the session starts and ends with the action of allowed determined. Would using the same category within a URL filter differ than only having a category configured? It's my understanding that the only difference between the two is that the filter allows you to specify multiple categories and alert on them, whereas the URL category section does not allow for alerting and uses the action specified by the rule. We are using app-id on this rule. Is there a time to use categories only instead of a filter? My concern in using a filter is that it will block traffic allowed by another filter further down the ruleset. Does it not defeat the purpose of a filter to only alert on a single category and the remaining ones are set to none or block?

Re: URL Categories vs URL Filtering

LAYER_8 — Mon, 13 Sep 2021 19:54:01 GMT

What most of my customers use this feature for is in the realm of zero trust. The URL category list allows to do things like write a rule at the top of the hierachy, block all web advertisements. But we can also specifically allow the sites users sign-in to.

For example, they create EDLs of internal domains, or custom URL lists. Then they write a rule "internal-corp"

From users to internal app web browsing URL category internal URLs and that custom URL list has a credential theft setting of allow, since those are known good domains.

Everything else is set to alert at least, blocking just about everything from the profile perspective. This also allows you to configure the same profile behaviors for external apps.

Submitting corp credentials to *.microsoftonline.com or something would be okay, assuming it's on your custom URL list, but you can block lots with categories, that you attach as a profile to those rules.

In general, it's a customization feature that allows you to get more specific if you choose.

Re: URL Categories vs URL Filtering

TomYoung — Mon, 13 Sep 2021 22:54:11 GMT

Multiple answers! For clarity, I assume when you say URL category, you mean URL category in a security policy rule.

"Recently we've found that traffic not within a URL category specified in a rule is being allowed." Any subsequent security policy rule allowing web-browsing or ssl will allow the traffic. Only traffic matching your category will match your rule. The advantage to URL filtering is that the security policy rule will match all web-browsing or ssl traffic, and not look for a subsequent security policy rule match.
"Would using the same category within a URL filter differ than only having a category configured?" Yes, because it can perform different functions for different categories.
"Is there a time to use categories only instead of a filter?" The most common example is if you want to use the additional fields in the security policy rule. For example, HR (source user) is allowed to go to YouTube for training videos.
"My concern in using a filter is that it will block traffic allowed by another filter further down the ruleset." This is the preferred implementation of pre-defined categories in URL filtering. If you block a pre-defined category, you want to block all URLs in the category even if they match other pre-defined URL categories. The entries above the pre-defined categories allow exceptions to this rule and the priority is from top down.
"Does it not defeat the purpose of a filter to only alert on a single category and the remaining ones are set to none or block?" No. Your URL filtering example allows for a flexible corporate security policy and logging.