Advanced URL Filtering
Configure URL Filtering (Strata Cloud Manager)
Table of Contents
Configure URL Filtering (Strata Cloud Manager)
Strata Cloud Manager
)If you’re using Panorama to manage
Prisma Access
:Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.If you’re using
Strata Cloud Manager
, continue here.URL filtering is called
URL Access Management
in Strata Cloud Manager
- Check that yourPrisma Accesssubscription covers Advanced URL Filtering.
- Explore the URL Access Management Dashboard.Go to.ManageConfigurationSecurity ServicesURL Access ManagementMove between theAccess Control,Settings, andBest Practicestabs to explore the available URL filtering features.
- Review and customize General URL Filtering Settings.On the dashboard, go toSettingsto see the default URL Filtering settings that apply across yourPrisma Accessenvironment, including:
- URL Filtering timeout and lookup settings
- URL Filtering overrides for certain admins
- URL Filtering response pages
Automatically append end tokens to URLs in a custom URL category or external dynamic list(PAN-OS 10.1 and earlier)If you add URLs to custom URL categories or external dynamic lists (EDLs) of URL list type and don't append a trailing slash (/), you may block or allow more URLs than intended. For example, enteringexample.cominstead ofexample.com/expands matching URLs to example.com.website.info or example.com.br.Prisma Accesscan automatically append a trailing slash to URLs in custom URL categories or EDLs so that, if you enterexample.com,Prisma Accesstreats it as it would treatexample.com/and only considers that domain and its subdirectories matches. Go toand enable theSettingsGeneral SettingsAppend End Token to Entriesoption.(PAN-OS 10.2 and later)Prisma Accessautomatically adds a trailing slash to domain entries.You can customize these settings for each deployment type (mobile users, remote networks, or service connections). - Create a URL Access Management profile.On the URL Access Management dashboard,Add Profileand continue to specify web access settings:
- Access Controldisplays the URL categories and lists for which you can define web access and usage policy. By default, theSite AccessandUser Credential Submissionpermissions for all categories are set toAllow.
- For each URL category, configureUser Credential Detectionso that users can submit credentials only to sites in specified URL categories.
- EnableSafe Search Enforcementto enforce strict safe search filtering.
- EnableLog Container Page Onlyto log only those URLs that match the content type that is specified.
- EnablingHTTP Header Loggingprovides visibility into the attributes in the HTTP request sent to a server.
- Use theAdvanced URL Inline Categorizationto enable and configure real-time web page analysis and manage URL exceptions.
- Enable local Inline Categorization—Enables real-time analysis of URL traffic using machine learning models, to detect and prevent malicious phishing variants and JavaScript exploits from entering your network.
- Enable cloud Inline Categorization—Enables real-time analysis of URLs by forwarding suspicious web page contents to the cloud for supplemental analysis, using machine learning based detectors that complement the analysis engines used by local inline ML.
- You can define URLExceptionsfor specific web sites to exclude from inline machine learning actions.
Note that:- Best practice checks are built-in to the profile to give you a live evaluation of your configuration.
- After you’ve finished enabling a profile, you can examine profile usage to see if any security policy rules are referencing the profile.
- Apply the URL Access Management profile to a Security policy rule.A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure toPush Config