Video Tutorial: Advanced URL Filtering

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is a Palo Alto Networks video tutorial my name is Joe DeLeo and I'm a solutions engineer from the Palo Alto Networks community team in today's video I will be talking about advanced URL filtering this is the second video in the series talking about URL filtering the video is designed to help you better understand and to configure URL filtering in pan at OS 6.1 we will be covering the following topics in this advanced URL filtering video tutorial the first topic is monitoring web activity using the ACC to monitor the web activity we can view URL filtering reports inside the reports section you can have user activity or the URL filtering for custom reports you can create second topic that we'll be talking about here is response pages the third is how to match traffic based on URL category for a different policy enforcement would be briefly talking about description and the safe search options the first item that we have is to use the ACC to monitor web activity in my previous video on URL filtering I showed you about how to create a passive URL filtering policy as well as how to use the URL filtering logs to see what sites are being accessed now I'll show you how to use the ACC which is the application command center to monitor the web activity you go into the second tab here up top and this is where the ACC is located please notice that at the top of the window you have a time period in which to see you can go to 6 hours 12 hours 7 days 30 days whichever you wish to see exactly what's going on you have to hit submit to see the results once it's populated again scroll down to the URL filtering sections to see exactly what sites are being accessed how many times they are and about how much data is being sent the results will be organized due to the number of sessions you can also change these to from the URL categories to change it to the URLs block to URL categories or just blocked URLs next up for all the URL reports the first report that I will show you is about the URL filtering reports to view the default URL filtering reports select monitor then click on reports and then under the URL filtering reports sections we will have these built-in reports for you are all categories users use your behavior websites blocked categories users block user behavior and block sites inside all these report categories this is going to be for a 24-hour period and the day is selected by choosing the day in the calendar section below you can use the data on the screen or if you'd like to you have the option to export to PDF comma separated value CSV or XML for all of these reports next up is the user activity report to configure the user activity report you have to click on monitor then to PDF reports on the left hand side and then use your activity report you have to add in the lower left-hand corner of the screen and enter a report name whichever you'd like and you either have to give the user name or the IP address of the user in question if you have user ID configured then you can go ahead and put in the username and you even have options sometimes to hit the drop down for any user if you have the user ID information already populated otherwise the IP address of my test machine is 172 1677 dot 209 and then you have a time period in which you can choose to do it and if you'd like to you can include detailed browsing information there you can either hit OK and use it as part of a email or go ahead and hit run now to run it report and see the contents once the report is done you'll be given an option to download the user activity report or cancel it we'll just download a PDF to the machine at which point in time you can open it up in a new window and view the results you'll see that I'll have application usage traffic summary by URL category by website any sites that were blocked and again this is more detailed web browsing activity that will show the time the application category action what URLs they visited and approximately how long we were on the site for it's done with that you can close it and go back close it and again if you'd like to keep this you can just hit OK and you'll see it be saved inside of here to rerun whenever you'd like next up is the custom URL filtering reports to generate a detailed report that can also be scheduled you can configure a custom report and select from a list of all available URL filtering log fields to add a new custom report you need to go to monitor and then to manage custom reports from here we need to click Add in the lower left-hand corner we need to enter a report name here we'll type in okay from the database you'll want to hit the drop down and make sure that you choose the detailed logs for URL then we need to configure the report options we need to select on the time frame exactly what you would like to do in time twelve hours seven days whichever you'd like you have additional options here on the sort by how many that you'd like to sort by top 500 repeat count user-agent you also can have the group by whatever the category you'd like to have for the group by and up to fifty different groups to be grouped there are lots of available columns I've quickly gone through and for the selected columns for the report here I have action repeat count category destination country source user or ill show source IP and the URL that's traditionally what is in a URL report that would be the most beneficial but you can change it and customize it and make it however you want you also have the ability to do a custom query here if you'd like to manually write a report and then add it and you'll see the custom query builder show up here when you'd like to you can hit run now and in a different tab it will go ahead and run it and we'll see this you have the ability again for this to export the PDF CSV or XML or close that hit OK and it will save this here which you then can use it to have a scheduled report email scheduler or whatnot for that all set if the report that is run looks good and satisfactory after you manually run the report and you would like to have it scheduled you have to make sure that you go into the custom report and check the scheduled box you hit OK you'll notice that it will say check box by scheduled at that point in time you then can have the email scheduler and check for it to have be run in the reports section underneath your custom reports but it will only show up after you commit to change it next topic that we can talk about are the response pages underneath device and response pages response pages are HTML web pages that are used in conjunction with URL filtering QoS decree and other functions but we're only going to be talking about the URL filtering response pages in this video tutorial underneath device and response pages you'll see listed here all the different types of response pages that are available from antivirus application block pages captive portal file blocking global protect login pages have decryption options and then lastly you have three different URL filtering options URL filtering there's a category match block page the continue and override page and you have the safe search block page you can either use a predefined pages or you can customize the URL filtering response pages to communicate your specific acceptable use policy and/or corporate branding in addition you can use the URL filtering response page variables for substitution at the time of the block event and add one of the supported response page references to external images sounds or style sheets all these details are actually covered in the admin guides the links are at the end of the transcript that are printed below the video please note that you must enable the response pages option inside the management profile I'll show you where that is it's actually found inside of network and then inside of interface management you'll see in here whichever one that you choose you have to have the response pages per as a permitted service and this actually has to be on an interface which I have the allow secure profile which has the response pages checked inside of my interfaces Ethernet one for this is my trust interface this is what faces the customers this is where you have to have that profile enabled on that interface in order for the response pages to work any more information on all the variables again are covered in the admin guides one last thing in the response pages section for each one of these you have the option to either just choose a predefined page which you can and then export and then view it it's just an XML or you know HTML page and or import if you have certain content that you want to build up that you get from the admin guides next we're going to be talking about matching traffic based on URL category for policy enforcement after you have monitored URL traffic and ran through the steps that we outlined you should have a basic understanding of what types of websites and website categories that users are accessing with all this information you're ready to create customer you are all filtering profiles and attach them to security policy rules that allow web access I'll actually go through and show you a simple policy that matches traffic based upon URL category to control access to facebook.com and to block other social media sites in this use case a URL filtering policies applied to the security policy that allows web access for users to block social networking URL category but to use the allow list in the URL profile to allow certain things live in this example it's going to be Facebook so the first thing we're going to do is make sure that we would either create a new URL filtering profile or clone one inside of objects security profiles URL filtering which is pretty familiar to us by now we will show you about cloning this default policy here once it makes a clone it's going to be at the bottom we can go into the options and call it allow Facebook again if you had additional blocks you could put them here the allow list we're going to put in facebook.com as well as asterisk facebook.com it is very important that we have both the facebook.com/ in a strict facebook.com/ because these are even though they look exactly the same they are actually two different URLs so it's very important that you have those both in there and you always want to make sure you keep that in mind when you're having to block or allow any site in the future that you may actually have to put both of those entries in there next we need to find the social networking category and change the action from allow or alert to block you can do this two ways you can either scan through the list of 64 as it says 64 different categories here for the social networking or you can start to type in the social here and search and find social networking change that to block and it blocks the whole category you can then clear that out and have the full list again once we click OK to that we need to make sure that that new profile is placed into a rule go into our policies my trusts untrust rule here is where the traffic is going out to go to the actions column for the URL filtering we need to make that our new URL filtering profile it's going to be allowing traffic through but it will block based upon this URL filtering profile once we okay that and then commit the changes now we'll take a look at this from a client that is behind the firewall attempting to access Twitter we get a block page it will show you your IP address the URL and the category these are the options that are actually can be changed inside of the response pages if your necess you can change then you branding here you can change any logos pretty much customize it whatever you would like to do now let's see if we can go to facebook.com and it allows it through without blocking the page back into the firewall we can look at the logs going in to monitor and URL filtering inside here we can actually see the access that we had going to Twitter and we actually see that it was actually blocked we also see that if the page was decrypted or not this actually this decrypted column is not there by default you actually hit any other column here go to columns and inside of here you can see decrypted option once you check that it will add this brain you decrypt it and it will tell you if it's able to for decrypting the page or not that's properly that's the way that you have to do in order to get this response pages to work with HTTPS sites notice again that the action being block or alert is the only way that the traffic will show up inside the URL filtering logs if it's allowed like it was for Facebook it's not going to show up inside the filtering unless you alert on it otherwise it's just going to show up inside of the traffic logs with just normal traffic that has logged via the security policy showing access to Facebook they're here by looking at the allow logs you can see the application you can double check the categories the social networking and it is being allowed and it's being decrypted there we can double check inside of the logs here you can look at the Twitter traffic you can see that it is social networking and it is being blocked next item up is going to be the decryption the URL categories can be used as a match criteria in inside of a decryption policy also I will not cover all that you need to enable the decryption we'll just going to talk about the URL filtering and how it's used in conjunction with the decryption we can see that inside of policies and then the decryption policy that we have configured you can see that I have two policies in place one that I've listed for financial and health care I one for just overall decrypted traffic the first one for financial and health care this is traffic going from trust to untrust the URL categories that we have listed or for financial services for banks health and medicine any personal information we set it to not to decrypt and so it will avoid all traffic going to hospitals medicine health and then financial services bank investing due to your security policy most likely you will be set to not decrypt that data to respect privacy all other traffic is set to decrypt it and the URL category is set to any for that please note that all this information for setting up the decryption is inside the admin guides listed in the knowledge base or a future video tutorial is going to be talking about how to configure the SSL forward proxy decryption the last category was for talking about safesearch just about every popular search engine out there Yahoo Google Bing and YouTube have a safe search option in order to filter out not-safe-for-work or adult results from all your search results when this option is enabled on the Palo Alto Networks firewall this will prevent users who are searching the internet and are using one of the following search providers Bing Google Yahoo Yandex or YouTube from viewing the search results unless unless the strictest safe search option is set in their browsers for these search engines by default when you enable the safe search enforcement when a user attempts to perform a search without using the strictest safe searching settings the firewall will block the search query results and display the URL filtering safe search block page the response page this page provides a link to the search settings page for the corresponding search provider so that the end user can enable the safe search settings if you plan to use this default method for enforcing the safe search you should communicate this policy to your end-users prior to deploying the policy you need to see the admin guide under search provider safe search settings for the details on how each provider implements Safe Search again if you'd like to enable it inside of objects security profiles and URL filtering here inside of the currently used URL filtering profile underneath settings this is where you enable the safe search enforcement you hit OK and then you'd commit to make that change permanent here are some notes that you need to be aware of with the safe search you can restrict users to specific search engines if you have the need again all the details on how you limit this are covered inside of the admin guides secondly because most search engines encrypt their search results you must enable the SSL for proxy decryption the firewall can inspect and search the traffic and detect the safe search settings thirdly you can also enable a transparent safe search option enforcement again this information is inside of the admin guide if you'd like to know how to do this if you have any questions about URL filtering after watching this video please make sure that you have gone through my first URL filtering video I'll be providing links to this again inside of the transcript below also inside of the transcripts are links to all of all the admin guides for all of the supported pan OS versions 506 zero six one and seven that concludes this video tutorial we hope you've enjoyed this video thank you very much for watching and we welcome all feedback so don't be shy and comment away thank you very much have a great day you

Info

Channel: Palo Alto Networks LIVEcommunity

Views: 35,150

Rating: undefined out of 5

Keywords: url_filtering, palo_alto_networks, web_access, internet_access, internet_controls, PAN-OS, PAN firewall, blocked_site, block_web_site, decryption, safe_search, response_pages

Id: uuCyhsM5ClE

Channel Id: undefined

Length: 23min 17sec (1397 seconds)

Published: Mon Nov 30 2015