PA L O A LT O N E T W O R K S : U R L F i l t e r i n g D a t a s h e e t

URL Filtering
Appl
Applic
icat
atio
ions
ns URLs Know
Kn own
n Th
Thre
reat
ats
s Unkn
Unknow
own
n Th
Thre
reat
ats
s
• Identify and control alll • Control traffic sources • Stop exploits, malware, • Automatically identify
applications, across alll and destinations based spying tools, and and block new and
ports, all the time. dange
g rous files. evolving
g threats.
on risk

URL Filtering: A Key Step Towards Reducing Risk

Fully integrated URL filtering database Tech-savvy users are spending more and more time on
enables granular control over web browsing their favorite web site or using the latest and greatest web
activity, complementing safe application application. This unfettered web surfing and application
enablement policies. use exposes organizations to security and business risks
including propagation of threats, possible data loss, and
• Safely enable web usage with the same policy control
mechanisms that are applied to applications—allow, lack of regulatory or internal policy compliance.
allow and scan, apply QoS, block, and more.
Stand-alone URL filtering solutions are insufficient control mechanisms
• Reduce malware incidents by blocking access to known because they are easily bypassed with external proxies (PHproxy, CGIproxy),
malware and phishing download sites. circumventors (Tor, UltraSurf, Hamachi) and remote desktop access tools
• Tailor web filtering control efforts with white lists (GoToMyPC, RDP, SSH). Controlling users’ application activity requires a
(allow), black lists (block), custom categories and integrated approach that implements policies to control web activity and the
database customization. applications that are commonly used to bypass traditional security mechanisms.
• Facilitate SSL decryption policies such as “don’t decrypt
Palo Alto Networks™ next-generation firewalls identify and control applications,
traffic to financial services sites” but “decrypt traffic
irrespective of port, protocol, encryption (SSL or SSH) or evasive characteristic.
to blog sites”.
Once identified, the application identity, not the port or protocol, becomes the
basis of all security policies, resulting in the restoration of application control.
Acting as the perfect complement to safe enablement is a URL filtering database
that controls web usage. By addressing the lack of visibility and control from
both the application and website perspective, organizations are safeguarded from
a full spectrum of legal, regulatory, productivity and resource utilization risks.
 PA L O A LT O N E T W O R K S : U R L F i l t e r i n g D a t a s h e e t

Flexible, Policy-based Control Customizable End-User Notification

As a complement to the application visibility and control Each organization has different requirements on how best
enabled by App-ID™, URL categories can be used as a match to inform end-users that they are attempting to visit a web
criteria for policies. Instead of creating policies that are page that is blocked according to the corporate policy and
limited to either allowing all or blocking all behavior, URL associated URL filtering profile. To accomplish this goal,
category as a match criteria allows for exception based administrators can use a custom block page to notify end
behavior, resulting in increased flexibility, yet more granular users of the policy violation. The custom block page can
policy enforcement. Examples of how using URL categories include references to the username, IP address, the URL they
can be used in policies include: are attempting to access and the URL category. In order to
place some of the web activity ownership back in the user’s
• Identify and allow exceptions to general security policies hands, administrators have two powerful options:
for users who may belong to multiple groups within Active
Directory (e.g., deny access to malware and hacking sites • URL filtering continue: when a user accesses a page that
for all users, yet allow access to users that belong to the potentially violates URL filtering policy, a block page
security group). warning with a “Continue” button can be presented to
the user, allowing them to proceed if they feel the site
• Allow access to streaming media category, but apply QoS is acceptable.
to control bandwidth consumption.
• URL filtering override: requires a user to correctly enter a
• Prevent file download/upload for URL categories that password in order to bypass the block page and continue
represent higher risk (e.g., allow access to unknown sites, surfing.
but prevent upload/download of executable files from
unknown sites to limit malware propagation). URL Activity Reporting and Logging
A set of pre-defined or fully customized URL filtering reports
• Apply SSL decryption policies that allow encrypted access to provides IT departments with visibility into URL filtering
finance and shopping categories but decrypt and inspect and related web activity including:
traffic to all other URL categories.
• User activity reports: an individual user activity report shows
Customizable URL Database and Categories applications used, URL categories visited, web sites visited,
To account for each organization’s unique traffic patterns, and a detailed report of all URLs visited over a specified
on-device caches are used to store the most recently accessed period of time.
URLs. Devices can also automatically query a master cloud-
based database for URL category information when an • URL activity reports: a variety of top 50 reports that display
unknown URL is found. Lookup results are automatically URL categories visited, URL users, web sites visited, blocked
inserted into the cache for future activity. Additionally, categories, blocked users, blocked sites and more.
administrators can create custom URL categories to suit
their specific needs. • Real-time logging: logs can be filtered through an easy-to-use
query tool that uses log fields and regular expressions to
analyze traffic, threat or configuration incidents. Log filters
can be saved and exported and for more in-depth analysis
and archival, logs can also be sent to a syslog server.

Deployment Flexibility
The unlimited user license behind each URL filtering
subscription and the high performance nature of the Palo
Alto Networks next-generation firewall means that customers
can deploy a single appliance to control web activity for an
entire user community without worrying about cost variations
associated with user-based licensing.

3300 Olcott Street Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
Santa Clara, CA 95054 the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Main: +1.408.573.4000
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
Sales: +1.866.320.4788
or for any obligation to update information in this document. Palo Alto Networks
Support: +1.866.898.9087 reserves the right to change, modify, transfer, or otherwise revise this publication
www.paloaltonetworks.com without notice. PAN_DS_IURLF_111212