This week's Discussion of the Week is not going to be on a single topic, but rather talk about URL filtering with PAN-OS 8.0. I noticed a couple of articles this week that were talking about URL filtering with PAN-OS 8.0 and there seems to be some confusion about some new features or defaut settings, so I wanted to take time to talk about all this here.
I will try to cover a couple of points here, consider this a mini FAQ for a couple of items in PAN-OS 8.0 URL filtering.
My URL filtering logs are not showing up properly.
I have seen this question a couple of times since PAN-OS 8.0 was released. This is a misconception from a lot of users who are wanting to run reports or just simply see all of the URL traffic in the URL traffic logs.
the guide states "Allowed (URL) traffic is not logged."
Excerpt from the Admin guide where it shows that allowed traffic is not logged.
Now this can be confusing, because you want to see what the URL categories are for the traffic, don't you?
Well, yes and no. Yes, it would be beneficial at times to see, but please bear in mind that this is ALL of your internet traffic. Rather the URL information is only logged for alert of blocked traffic (if configured).
Note: If you are wanting to also see HTTPS decrypted traffic, you will have to apply a decryption policy on the forward proxy.
In PAN-OS 8.0 there are now 2 categories inside the URL Filtering profile where there was only 1 before.
If you are not familiar with PAN-OS 8.0 URL filtering, for each URL category, you have "Site Access" and "User Credential Submissions". This is in the WebGUI under Objects > Security Profiles > URL Filtering > URL Filtering profile.
PAN-OS 8.0 URL Filtering profile showing the Site Access and User Credential Submission columns.
In previous versions of PAN-OS, you only had the "action" column:
PAN-OS 7.1 showing the same URL filtering profile screen.
Now, with PAN-OS 8.0, you have 2 different "action" columns to configure: Site Access and User Credential Submission.
I try to give the details below on each one.
Site Access For each URL category, select the action to take when a user attempts to access a URL in that category (Site Access): • alert—Allows access to the web site but adds an alert to the URL log each time a user accesses the URL. • allow—Allows access to the web site. • block—Blocks access to the web site. If the Site Access to a URL category is set to block, the User Credential Submission permissions is automatically also set to block. • continue—Displays a page to users that to warn them against continuing to access the page. To access the web site, the user must click Continue. The Continue pages will not be displayed properly on client machines that are configured to use a proxy server. • override—Displays a response page that prompts the user to enter a valid password in order to gain access to the site. Configure URL Admin Override settings (Device > Setup > Content ID) to manage password and other override settings. (See also the Management Settings table in Device > Setup > Content-ID). The Override pages will not be displayed properly on client machines that are configured to use a proxy server. • none (custom URL category only)—If you have created custom URL categories, set the action to none to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to none gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to none in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.
User Credential Submission For each URL category, select the User Credential Submissions to allow or disallow users from submitting valid corporate credentials to a URL in that category. Before you can control user credential submissions based on URL category, you must enable credential submission detection (select the User Credential Detection tab). URL categories with the Site Access set to block are automatically set to also block user credential submissions. • alert—Allow users to submit credentials to the website, but generate a URL alert log each time a user submits credentials to sites in this category. • allow (default)—Allow users to submit credentials to the website. • block—Block users from submitting credentials to the website. A default anti-phishing block page is shown to users when they access sites to which corporate credential submissions are blocked. • continue—Display a page to users that prompts them to select Continue to access to access the site. By default, an anti-phishing continue page displays to warn users when they access sites to which credential submissions are discouraged. You can choose to create a custom response page to warn users against phishing attempts or to educate them against reusing valid corporate credentials on other websites.
I hope that this helps you understand some of the new URL Filtering options inside PAN-OS 8.0.