- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-08-2021 07:37 AM
Multiple questions - Recently we've found that traffic not within a URL category specified in a rule is being allowed. The rule appears to be allowing the traffic as the session starts and ends with the action of allowed determined. Would using the same category within a URL filter differ than only having a category configured? It's my understanding that the only difference between the two is that the filter allows you to specify multiple categories and alert on them, whereas the URL category section does not allow for alerting and uses the action specified by the rule. We are using app-id on this rule. Is there a time to use categories only instead of a filter? My concern in using a filter is that it will block traffic allowed by another filter further down the ruleset. Does it not defeat the purpose of a filter to only alert on a single category and the remaining ones are set to none or block?
09-13-2021 12:54 PM
What most of my customers use this feature for is in the realm of zero trust. The URL category list allows to do things like write a rule at the top of the hierachy, block all web advertisements. But we can also specifically allow the sites users sign-in to.
For example, they create EDLs of internal domains, or custom URL lists. Then they write a rule "internal-corp"
From users to internal app web browsing URL category internal URLs and that custom URL list has a credential theft setting of allow, since those are known good domains.
Everything else is set to alert at least, blocking just about everything from the profile perspective. This also allows you to configure the same profile behaviors for external apps.
Submitting corp credentials to *.microsoftonline.com or something would be okay, assuming it's on your custom URL list, but you can block lots with categories, that you attach as a profile to those rules.
In general, it's a customization feature that allows you to get more specific if you choose.
09-13-2021 03:54 PM
Multiple answers! For clarity, I assume when you say URL category, you mean URL category in a security policy rule.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!