Each website defined in the URL filtering database is assigned one of approximately 60 different categories. These categories can then be used in a URL filtering profile to block or allow access based on category, or you can configure the firewall to use a category as a match criteria in policy. For example, to block all gaming websites, in the URL filtering profile you would set the block action for the URL category
games. As an example of using a URL category as a match criteria in a policy, you could use the URL category
in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media.
A URL filtering profile is a collection of URL filtering controls that are applied to individual security policies to enforce your web access policy. The firewall comes with a default profile that is configured to block websites such as known malware sites, phishing sites, and adult content sites. You can use the default profile in a security policy, clone it to be used as a starting point for new URL filtering profiles, or add a new URL profile that will have all categories set to allow for visibility into the traffic on your network. You can then customize the newly added URL profiles and add lists of specific websites that should always be blocked or allowed, which provides more granular control over URL categories. For example, you may want to block social-networking sites, but allow some websites that are part of the social-networking category.
Block and allow lists allow you to define specific URLs or IP addresses in the URL filtering profile that are always allowed or always blocked, regardless of the action defined for the URL category. When entering URLs in the
, enter each URL or IP address in a new row separated by a new line. When using wildcards in the URLs, follow these rules:
Many search engines have a safe search setting that filters out adult images and videos in search query return traffic. On the firewall, you can
Enable Safe Search Enforcement
so that the firewall will block search results if the end user is not using the strictest safe search settings in the search query. The firewall can enforce safe search for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. This is a best-effort setting and is not guaranteed by the search providers to work with every website.
To use this feature you must enable the
Safe Search Enforcement
option in a URL filtering profile and attach it to a security policy. The firewall will then block any matching search query return traffic that is not using the strictest safe search settings. There are two methods for blocking the search results:
Also, because most search providers now use SSL to return search results, you must also configure a
policy for the search traffic to enable the firewall to inspect the search traffic and enforce safe search.
Safe search settings differ by search provider as detailed in
Table: Search Provider Safe Search Settings.
|Search Provider||Safe Search Setting Description|
A container page is the main page that a user accesses when visiting a website, but additional websites may be loaded within the main page. If the
Log Container page only
option is enabled in the URL filtering profile, only the main container page will be logged, not subsequent pages that may be loaded within the container page. Because URL filtering can potentially generate a lot of log entries, you may want to turn on this option, so log entries will only contain those URIs where the requested page file name matches the specific mime-types. The default set includes the following mime-types:
URL categories can be used as a match criteria in a policy to provide more granularity in the policy. For example, you may have a decryption policy defined, but you would like specific websites to bypass decryption. To do this, you would configure a decryption policy with the no-decrypt action and a URL category would be defined as match criteria for the policy rule, so the policy would only match traffic flows to websites that are part of the specified category.