- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
on 01-24-2019 04:08 AM - edited on 02-28-2019 04:55 AM by reaper
Category Mappings For Moving From Symantec WebFilter to PAN-DB.
Roll Out URL Category Enforcement
Best Practice URL Filtering Profile.
Use URL Categories To Define SSL Decryption Policies.
This document is designed to assist you in migrating your environment from using Symantec Web Filter categories on ProxySG to using URL filtering capabilities in the Palo Alto Networks next-generation firewall enabled by PAN-DB, Palo Alto Networks cloud-based URL categorization service.
The first part of this document contains category mappings to assist you in selecting which PAN-DB URL categories to use. In most cases, there is a one-to-one mapping between the URL categorization commonly used in Symantec Web Filter and the categorization provided by Palo Alto Networks.
The second part of the document contains examples on how to migrate from Symantec Web Filter categories to PAN-DB categories and how to use them in the security policies of the next-generation firewall. During the migration, it is a recommended best practice to configure a URL Filtering profile with all categories set to “alert” in parallel with your web filtering solution. This allows you to run reports in PAN-OS and Proxy-SG to verify policies and category mappings before switching the URL filtering functions over completely to PAN-DB URL categorization on our next generation firewall.
The third part of this document contains usage examples and recommended security best practices when using PAN-DB for URL categorization in the next-generation firewall.
To start the migration, the first thing we recommend is to review the categories that are blocked by policy with the Symantec WebFilter and map them to the corresponding PAN-DB URL categories.
The Symantec WebFilter Database is organized into 85 URL categories. You can find a complete list and definitions of the categories at this link: https://sitereview.bluecoat.com/category-descriptions.
PAN-DB is organized into more than 65 URL categories. You can find a complete list and definitions of the categories at this link: Complete List of PAN-DB URL Filtering Categories.
Symantec WebFilter offers a service called “Site Review.” The purpose of “Site Review” is to allow Symantec customers to check the current database categorization of WebFilter URLs and report sites that they believe are incorrectly categorized. You can find the "Site Review" at this link: https://sitereview.bluecoat.com/.
PAN-DB URL filter also offers a service called “Test a Site.” The purpose of “Test a Site” is to allow Palo Alto Networks customers to check the current database categorization of PAN-DB URLs and report sites that they believe are incorrectly categorized. You can find "Test a Site" at this link: https://urlfiltering.paloaltonetworks.com/.
The table below will help you with the category mapping exercise.
Symantec |
Palo Alto Networks |
Differences |
Recommendations |
Abortion |
Abortion |
|
|
Adult/Mature Content |
Adult or Questionable |
|
|
Alcohol |
Alcohol and Tobacco |
|
|
Alternative Spirituality/Belief |
Religion |
|
|
Art/Culture |
Entertainment and Arts |
|
|
Auctions |
Auctions |
|
|
Audio/Video Clips |
Streaming Media or Music |
|
|
Brokerage/Trading |
Stock Advice and Tools or Financial Services |
|
|
Business/Economy |
Business and Economy |
|
|
Charitable Organizations |
Society |
|
|
Chat (IM)/SMS |
Internet Communications and Telephony |
|
|
Child Pornography |
Adult |
|
|
Computer/Information Security |
Computer and Internet Info or Hacking |
|
|
Content Servers |
Content Delivery Networks |
|
|
Controlled Substances |
Abused Drugs |
|
|
Dynamic DNS Host |
Dynamic-DNS |
|
Best Practice recommendation, Block “dynamic-dns” category |
E-Card/Invitations |
Shareware-and-Freeware |
|
|
Education |
Educational Institutions |
|
|
|
Web-based Email |
|
|
Entertainment |
Entertainment and Arts |
|
|
Extreme |
Extremism |
|
Best Practice recommendation, Block “extremism” category |
File Storage/Sharing |
Online Storage and Backup |
|
|
Financial Services |
Financial Services |
|
|
For Kids |
Society |
This Symantec category is not a stand-alone category |
|
Gambling |
Gambling |
|
|
Games |
Games |
|
|
Government/Legal |
Government |
|
|
Hacking |
Hacking |
|
|
Health |
Health and Medicine |
|
|
Humor/Jokes |
Entertainment and Arts or Questionable |
|
|
Informational |
N/A |
This Symantec category is not a stand-alone category |
Recommended action: – Use “Test a Site” to find corresponding PAN-DB category for matching websites
– Or Create a Custom URL category and control matching websites |
Internet Connected Devices |
Computer and Internet Info |
There is no one-to-one mapping for this category. This is a subset of “computer-and-internet-info” category |
Recommended action: – Use “Test a Site” to find corresponding PAN-DB category for matching websites
– Or Create a Custom URL category and control matching websites |
Internet Telephony |
Internet Communications and Telephony |
|
|
Intimate Apparel/Swimsuit |
Swimsuits and Intimate Apparel |
|
|
Job Search/Careers |
Job Search |
|
|
Malicious Outbound Data/Botnets |
Command-and-Control |
|
Best Practice recommendation, Block “Command-and-Control” category |
Malicious Sources/Malnets |
Malware |
|
Best Practice recommendation, Block “malware” category |
Marijuana |
Abused Drugs |
|
|
Media Sharing |
Streaming Media or Online Storage and Backup |
|
|
Military |
Military |
|
|
Mixed Content/ Potentially Adult |
Adult, Nudity or Questionable |
Based on the category description provided by Symantec, most URLs should be mapped to “adult” but the URLs could also be part of “nudity” or “questionable” |
|
News/Media |
News |
|
|
Newsgroups/Forums |
News or Personal-Sites-And-Blogs |
|
|
Non-Viewable/Infrastructure |
Insufficient Content |
|
|
Nudity |
Nudity |
|
|
Office/Business Applications |
Computer and Internet Info |
|
|
Online Meetings |
Internet Communications and Telephony |
|
|
Peer-to-Peer (P2P) |
Peer-to-Peer |
|
|
Personals/Dating |
Dating |
|
|
Personal Sites |
Personal Sites and Blogs |
|
|
Phishing |
Phishing |
|
Best Practice recommendation, Block “phishing” category |
Piracy/Copyright Concerns |
Copyright-Infringement |
|
Best Practice recommendation, Block “copyright-infringement“ category |
Placeholders |
Parked |
|
Best Practice recommendation, Block “parked” category |
Political/Social Advocacy |
Philosophy and Political Advocacy |
|
|
Pornography |
Adult |
|
|
Potentially Unwanted Software |
Shareware and Freeware or Questionable |
|
|
Proxy Avoidance |
Proxy Avoidance and Anonymizers |
|
Best Practice recommendation, Block “proxy-avoidance-and-anonymizers” category |
Radio/Audio Streams |
Streaming Media |
|
|
Real Estate |
Real Estate |
|
|
Reference |
Reference and Research |
|
|
Religion |
Religion |
|
|
Remote Access Tools |
Internet Communications and Telephony
|
|
|
Restaurants/Dining/Food |
Society |
|
|
Scam/Questionable/Illegal |
Questionable |
|
|
Search Engines/Portals |
Search Engines |
|
|
Sex Education |
Sex Education |
|
|
Sexual Expression |
Adult or Society |
If the website content pertains to sexual identity then the category will be "society" If not, the category will be "adult" |
|
Shopping |
Shopping |
|
|
Social Networking |
Social Networking |
|
|
Society/Daily Living |
Society |
|
|
Software Downloads |
Shareware and Freeware or Computer and Internet Info |
|
|
Spam |
Questionable |
URLs related to spam are included in the category "questionable" This category also includes websites with illegal, immoral and offensive content |
|
Sports/Recreation |
Sports |
|
|
Suspicious |
Insufficient Content or Questionable |
|
|
Technology/Internet |
Computer and Internet Info |
|
|
Tobacco |
Alcohol and Tobacco |
|
|
Translation |
Translation |
|
|
Travel |
Travel |
|
|
TV/Video Streams |
Streaming Media |
|
|
Uncategorized |
Unknown |
|
Best Practice recommendation, Block “unknown” category |
Vehicles |
Motor Vehicles |
|
|
Violence/Hate/Racism |
Extremism |
|
Best Practice recommendation, Block “extremism” category |
Weapons |
Weapons |
|
|
Web Ads/Analytics |
Web Advertisements |
|
|
Web Hosting |
Web Hosting |
|
|
What if I can’t block all of the recommended categories?
If you find that users need access to sites in the blocked categories, consider creating an allow list for just the specific sites if you feel the risk is justified. On categories you decide to allow, make sure you set up credential phishing prevention to ensure that users aren’t submitting their corporate credentials to a site that may be hosting a phishing attack. Allowing traffic to a recommended block category poses the following risks:
Malware – Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
Phishing – Known to host credential phishing pages or phishing for personal identification.
Dynamic-dns – Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company and are, therefore, less trustworthy.
Unknown – Sites that have not yet been identified by PAN-DB, perhaps because they were just registered. However, these are sites that are oftentimes generated by domain generation algorithms and are later found to exhibit malicious behavior.
Command-and-control – Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
Copyright-infringement – Domains with illegal content, such as content that allows illegal download of software or other intellectual property. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
Extremism – Websites promoting terrorism, racism, fascism or other extremist views discriminating people or groups of different ethnic backgrounds, religions, or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry.
Proxy-avoidance-and-anonymizers – URLs and services often used to bypass content filtering products.
Parked – Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains. For example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights in hopes that it may be valuable someday, such as panw.net.
Plan to decrypt as much traffic that is not private or sensitive as your firewall resources allow to reduce the attack surface by exposing and preventing encrypted threats. Understand local laws and regulations about the traffic you can legally decrypt and user notification requirements.
Please see documentation for SSL Decryption deployment and pre-requisites. The below steps describe Decryption policy definitions only.
With these three decrypt policies in place, any traffic destined for the financial-services or health-and-medicine or government URL categories will not be decrypted. All other traffic will be decrypted.
Case-1: Policy to block download of high-risk file types from certain categories [Decryption + URL Filtering + File-Blocking + Threat Prevention]
Case-2: Policy to Control Web Access [Decryption + User-ID + App-ID + URL Filtering + Data Filtering + Threat Prevention]
In this use case, users belonging to the Marketing group, for example, have access to Box for collaboration but not to any of the other “online-storage-and backup” vendors. All other users are blocked from all “online-storage-and-backup” applications. The company policy also states that documents marked “Confidential” should not be shared on Box by the Marketing group.
Case-3: Subscribe to an external malicious URL feed [URL Filtering + External Dynamic Lists]
In this use case, administrator wants the firewall to ingest an external feed that provides IOCs (Indicators of Compromise) in the form of URLs. This dynamic list of URLs has to be continuously updated in policy and blocked by Palo Alto Networks next generation firewall without any manual intervention.
To protect your network from new sources of threat or malware, you can use External Dynamic List in URL Filtering profiles to block or allow or to define granular actions such as continue, alert, or override for URLs before you attach the profile to a Security Policy rule. Unlike the allow list, block list, or a custom URL category on the firewall, an external dynamic list gives you the ability to update the list without a configuration change or commit on the firewall.
With this Security Policy in place, any user attempting to connect to websites part of the URL feed will be blocked. This URL list is dynamically updated by the firewall without any commit required by the administrator. Any attempt to connect to these URLs is also logged under Monitor > Logs > URL Filtering.