Introduction to Palo Alto Networks URL Filtering
Introduction to Palo Alto Networks URL Filtering
A subscription service from Palo Alto Networks, URL Filtering with PAN-DB, provides users with secure web browsing and URL access by blocking dangerous sites that deliver malware, attempt to circumvent security controls, or steal credentials through phishing attacks.
URL Filtering on Palo Alto Networks Next-Generation Firewall offers granular control of web traffic by integrating with Active Directory (AD) via User-ID Agents, making it possible to assign policy-based policies to AD users and/or groups while simplifying management.
It is also possible to enforce URL Filtering policies even when common evasion tactics are used, such as cached results and language translation sites. In addition to ensuring rapid web browsing, combining fast cloud URL lookups with a local cache (instead of a large database download) ensures categorization accuracy and relevance as well as fast browsing.
Active Directory Integration using User-ID (User Name to IP Address Mapping)
User Name to IP Address Mapping is achieved by utilizing two Windows Servers running the Palo Alto Networks User-ID Agent software. The servers are responsible for pulling event logs from two Global Catalog servers in order to map user accounts to an IP Address.
 |
| Fig 1.1- PAN Login |
The Palo Alto Networks Next-Generation Firewalls connect to the servers to retrieve the user name to IP Address mapping.
PAN-DB URL Categorization Workflow
The firewall determines the URL category by comparing the URL with the following components (in order) until it finds a match:
 |
| Fig 1.2- URL Category |
Note that if a requested URL matches an expired entry in the data plane (DP) URL cache, the cache responds with the expired category, but also sends a URL categorization query to the management plane (MP) cache. This prevents unnecessary delays in the DP, assuming that the frequency of category change is low.
 |
| Fig 1.3- URL Filtering Profile |
Similarly, in the MP URL cache, if a URL query from the DP cache matches an expired entry in the MP cache, the MP responds to the DP with the expired category and will also send a URL categorization request to the PAN-DB cloud database. Upon getting the response from the cloud, the firewall sends the updated category to the DP.
As new URLs and categories are defined or if critical updates are needed, the cloud database is updated. Each time the firewall queries the cloud for a URL lookup or if no cloud lookups have occurred for 30 minutes, the database versions on the firewall be compared and if they do not match, an incremental update will be performed.
Security Profile Groups and URL Filtering Profiles
Below is a screenshot of the Security Profile Group called “ndna-custom-all-alert-url-block” which was created specifically for the implementation of this service.
 |
| Fig 1.4- Security Group Profile |
The URL Filtering Profile called “ndna-custom-url-block” was added to ndna-custom-all-alert-url-block to ensure that website requests are inspected
 |
| Fig 1.5- URL Block |
Above is a screenshot of the blocked categories under the URL Filtering Profile called ndna-custom-url-block
In addition to the dynamic categories from Palo Alto Networks, there are 3 custom categories that are blocked. The categories can be consolidated into a single External Dynamic List in the future.
The URL Filtering Profiles are located under Panorama > Device Groups > Objects > Security Profiles > URL Filtering. Click on the name of the profile to edit or view the URL Filtering Profile.
