This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

URL Categories vs URL Filtering

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Categories vs URL Filtering

CBeaver
L0 Member

‎09-08-2021 07:37 AM

Multiple questions - Recently we've found that traffic not within a URL category specified in a rule is being allowed. The rule appears to be allowing the traffic as the session starts and ends with the action of allowed determined. Would using the same category within a URL filter differ than only having a category configured? It's my understanding that the only difference between the two is that the filter allows you to specify multiple categories and alert on them, whereas the URL category section does not allow for alerting and uses the action specified by the rule. We are using app-id on this rule. Is there a time to use categories only instead of a filter? My concern in using a filter is that it will block traffic allowed by another filter further down the ruleset. Does it not defeat the purpose of a filter to only alert on a single category and the remaining ones are set to none or block?

0 Likes Likes
2 REPLIES 2

LAYER_8
L5 Sessionator

‎09-13-2021 12:54 PM

What most of my customers use this feature for is in the realm of zero trust. The URL category list allows to do things like write a rule at the top of the hierachy, block all web advertisements. But we can also specifically allow the sites users sign-in to. 


For example, they create EDLs of internal domains, or custom URL lists. Then they write a rule "internal-corp"

 

From users to internal app web browsing URL category internal URLs and that custom URL list has a credential theft setting of allow, since those are known good domains. 

 

Everything else is set to alert at least, blocking just about everything from the profile perspective. This also allows you to configure the same profile behaviors for external apps. 

 

Submitting corp credentials to *.microsoftonline.com or something would be okay, assuming it's on your custom URL list, but you can block lots with categories, that you attach as a profile to those rules. 

 

In general, it's a customization feature that allows you to get more specific if you choose.

Help the community! Add tags and mark solutions please.

TomYoung
Cyber Elite
Cyber Elite

‎09-13-2021 03:54 PM

Multiple answers!  For clarity, I assume when you say URL category, you mean URL category in a security policy rule.

  1. "Recently we've found that traffic not within a URL category specified in a rule is being allowed."  Any subsequent security policy rule allowing web-browsing or ssl will allow the traffic.  Only traffic matching your category will match your rule.  The advantage to URL filtering is that the security policy rule will match all web-browsing or ssl traffic, and not look for a subsequent security policy rule match.
  2. "Would using the same category within a URL filter differ than only having a category configured?"  Yes, because it can perform different functions for different categories.
  3. "Is there a time to use categories only instead of a filter?"  The most common example is if you want to use the additional fields in the security policy rule.  For example, HR (source user) is allowed to go to YouTube for training videos.
  4. "My concern in using a filter is that it will block traffic allowed by another filter further down the ruleset."  This is the preferred implementation of pre-defined categories in URL filtering.  If you block a pre-defined category, you want to block all URLs in the category even if they match other pre-defined URL categories.  The entries above the pre-defined categories allow exceptions to this rule and the priority is from top down.
  5. "Does it not defeat the purpose of a filter to only alert on a single category and the remaining ones are set to none or block?"  No.  Your URL filtering example allows for a flexible corporate security policy and logging.

 

Help the community: Like helpful comments and mark solutions.
(1)
  • 5894 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks