PA L O A LT O N E T W O R K S : I n t e g r a t e d U R L F i l t e r i n g D a t a s h e e t

Integrated URL Filtering

Fully integrated URL ltering database enables policy control over web browsing activity, complementing the policy-based application visibility and control that the Palo Alto Networks next-generation rewalls deliver.

DATA
CC # SSN Files

THREATS
Vulnerability Exploits Viruses Spyware

URLS
Web Filtering

Securely enable web usage with the same policy control mechanisms that are applied to applications allow, allow and scan, apply QoS, block and more. Reduce malware incidents by blocking access to known malware and phishing download sites. Tailor web ltering control efforts with white lists (allow), black lists (block), custom categories and database customization. Facilitate SSL decryption policies such as dont decrypt traffic to financial services sites but decrypt trafc to blog sites.

Content-ID

Todays tech-savvy users are spending more and more time on their favorite web site or using the latest and greatest web application. This unfettered web surng and application use exposes organizations to security and business risks including propagation of threats, possible data loss, and lack of regulatory or internal policy compliance.
Stand-alone URL filtering solutions are insufficient control mechanisms because they are easily bypassed with external proxies (PHproxy, CGIproxy), circumventors (Tor, UltraSurf, Hamachi) and remote desktop access tools (GoToMyPC, RDP, SSH). Controlling users application activity requires a multi-faceted approach that implements policies to control web activity and the applications that are commonly used to bypass traditional security mechanisms. Palo Alto Networks next-generation firewalls identify and control applications, irrespective of port, protocol, encryption (SSL or SSH) or evasive characteristic. Once identified, the application identity, not the port or protocol, becomes the basis of all security policies, resulting in the restoration of application control. Acting as the perfect complement to policy-based application control is a URL filtering database that securely enables web usage. By addressing the lack of visibility and control from both the application and website perspective, organizations are safeguarded from a full spectrum of legal, regulatory, productivity and resource utilization risks.

PA L O A LT O N E T W O R K S : I n t e g r a t e d U R L F i l t e r i n g D a t a s h e e t

Flexible, Policy-based Control As a complement to the application visibility and control enabled by App-ID, URL categories can be used as a match criteria for policies. Instead of creating policies that are limited to either allowing all or blocking all behavior, URL category as a match criteria allows for exception based behavior, resulting in increased flexibility, yet more granular policy enforcement. Examples of how using URL categories can be used in policy include: Identify and allow exceptions to general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group). Allow access to streaming media category, but apply QoS to control bandwidth consumption. Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation). Apply SSL decryption policies that allow encrypted access to finance and shopping categories but decrypts and inspects traffic to all other categories. Customizable URL Database and Categories To accommodate the rapidly expanding number of URLs, as well as regional and industry-specific URLs, the 20 million URL database can be augmented to suit the traffic patterns of the local user community. If a URL is detected that is not categorized by the local URL database, the firewall can request the category from a hosted 180 million URL database. The URL is then cached locally in a separate 1 million URL capacity database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs.

Customizable End-User Notication Each organization has different requirements regarding how to inform end users that they are attempting to visit a web page that is blocked according to the corporate policy and associated URL filtering profile. To accomplish this goal, administrators can use a custom block page to notify end users of the policy violation. The page can include references to the username, IP address, the URL they are attempting to access and the URL category. In order to place some of the web activity ownership back in the users hands, administrators have two powerful options: URL filtering continue: when a user accesses a page that potentially violates URL filtering policy, a block page warning with a Continue button can be presented to the user, allowing them to proceed if they feel the site is acceptable. URL filtering override: requires a user to correctly enter a password in order to bypass the block page and continue surfing. URL Activity Reporting and Logging A set of pre-defined or fully customized URL filtering reports provides IT departments with visibility into URL filtering and related web activity including: User activity reports: an individual user activity report shows applications used, URL categories visited, web sites visited, and a detailed report of all URLs visited over a specified period of time. URL activity reports: a variety of top 50 reports that display URL categories visited, URL users, web sites visited, blocked categories, blocked users, blocked sites and more. Real-time logging: logs can be filtered through an easy-to-use query tool that uses log fields and regular expressions to analyze traffic, threat or configuration incidents. Log filters can be saved and exported and for more in-depth analysis and archival, logs can also be sent to a syslog server. Deployment Flexibility The unlimited user license behind each URL filtering subscription and the high performance nature of the Palo Alto Networks next-generation firewall means that customers can deploy a single appliance to control web activity for an entire user community without worrying about cost variations associated with user-based licensing.

3300 Olcott Street Santa Clara, CA 95054 Main: +1.408.573.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com

Copyright 2011, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_DS_IURLF_101811