URL-Filtering: Use profiles or specify categories in rules?

Reply
Highlighted
L3 Networker

URL-Filtering: Use profiles or specify categories in rules?

Hi,

there are two ways to select which URL categories should be allowed/blocked: You can either create a URL-Filtering profile and attach it to firewall rules, or you can specify URL-categories directly in the firewall rule (destination).

Specifying URL categories directly in the firewall rule seems to have the advantage that you can immediately see which categories you allow/block directly in the rulebase, without looking into the profiles. Then again, using profiles seems to have the advantage that you can specify more actions (override, alarm etc.).

What's the general approach here? Why would you choose one over the other?

And what would happen if I would combine both approaches? e.g. Specify some destination URL categories in a firewall block rule and then add a profile that allows and logs all categories? Which takes precedence? Is it even possible to combine in such a way?

Thanks for your thoughts!


Accepted Solutions
Highlighted
L7 Applicator

I almost always use the Security Profiles when it comes to URL filtering enforcement.  

I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked.  I believe the firewall treats this like a regular traffic drop.  That's liable to generate more support calls as the users don't know why something isn't working.

The only time I have used URL Categories directly in a rule is when you want to use different Security Profiles that are based on the URL Category.  Here's a good example:

Let's say your organization has a URL filtering profile that allows these two URL categories:

- computers-and-internet-info

- games

However, you wish to block all .EXE downloads from the games category.  In order to do this, you create two firewall rules:

from trust to untrust, application=web-browsing, URL_Category=games, action=allow

   - SecurityProfile / File Blocking / Block EXE files

   - SecurityProfile / URL Filtering / Company_URL_Profile

from trust to untrust, application=web-browsing, URL_Category=any, action=allow

   - SecurityProfile / File Blocking / Permit&Log

   - SecurityProfile / URL Filtering / Company_URL_Profile

This way if you go to a games website, and download an EXE, it'll get blocked based on the first rule.  If you're surfing to any other allowed URL category, then your traffic matches against the 2nd rule, which permits & logs EXE downloads.

In the first rule, you're not technically using the Company_URL_Profile for enforcement, as no other URL categories will be matched by that rule.  However, if you wish to have the gaming URLs logged, then you need to attach the URL Filtering profile - this profile would need games=alert in order for those URLs to be logged.

That's the only time I've used the URL Category in the rule itself - when I've needed to use different security profiles on a per-URL-category-basis.

View solution in original post


All Replies
Highlighted
L6 Presenter

you can use url filtering profiles with allow/block list option, can take different actions for different categories, logged in url filtering log

you can user url category only pre-defined category or custom, logged as security log(if enabled),can be used with security policies,qos,decryption or captive portal

Highlighted
L7 Applicator

I almost always use the Security Profiles when it comes to URL filtering enforcement.  

I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked.  I believe the firewall treats this like a regular traffic drop.  That's liable to generate more support calls as the users don't know why something isn't working.

The only time I have used URL Categories directly in a rule is when you want to use different Security Profiles that are based on the URL Category.  Here's a good example:

Let's say your organization has a URL filtering profile that allows these two URL categories:

- computers-and-internet-info

- games

However, you wish to block all .EXE downloads from the games category.  In order to do this, you create two firewall rules:

from trust to untrust, application=web-browsing, URL_Category=games, action=allow

   - SecurityProfile / File Blocking / Block EXE files

   - SecurityProfile / URL Filtering / Company_URL_Profile

from trust to untrust, application=web-browsing, URL_Category=any, action=allow

   - SecurityProfile / File Blocking / Permit&Log

   - SecurityProfile / URL Filtering / Company_URL_Profile

This way if you go to a games website, and download an EXE, it'll get blocked based on the first rule.  If you're surfing to any other allowed URL category, then your traffic matches against the 2nd rule, which permits & logs EXE downloads.

In the first rule, you're not technically using the Company_URL_Profile for enforcement, as no other URL categories will be matched by that rule.  However, if you wish to have the gaming URLs logged, then you need to attach the URL Filtering profile - this profile would need games=alert in order for those URLs to be logged.

That's the only time I've used the URL Category in the rule itself - when I've needed to use different security profiles on a per-URL-category-basis.

View solution in original post

Highlighted
L3 Networker

Thanks. Can you rephrase your second sentence? I am not quite getting it :smileyhappy:

Highlighted
L3 Networker

Thanks, jvalentine. Good point about no proper response pages when using categories in a block rule directly. Is this verified?

As for the rest of you response: Great, thanks. That helped a lot.

Highlighted
L5 Sessionator

JValentine is correct.  When you use a URL category in your security rule (as opposed to a URL filtering profile), the only actions you have are allow or block.  So if you want to log and/or use a custom response page (block page, continue page, override), you will need to use a URL filtering profile.

Highlighted
L7 Applicator

Edited to read:  I believe one of the down-sides of using the URL Category directly in the rule itself with a "block" action is that you won't get a block "response page" when something is blocked.

Highlighted
L3 Networker

Oh I understood your second sentence, jvalentine. My reply about not quite getting it was directed at panos (first reply in the thread).

Thanks everyone. I get it now. I am going to use profiles.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!