2. 6.2 Configuring and managing URL Filtering
In this video, we are covering PCNSA 210, and this is our chapter on URL filtering. Now this is the second video of chapter six, which is 6.2 Configuring and Managing URL Filtering. Now this is the lab that we’ll be using to demonstrate for you how to configure and manage URL filtering. And then we’re going to do it two ways in this video. We’re going to do it through a custom list. We’re going to create a custom list, custom list, and the custom list is the most highest presence that we’ll be using.
This is the first one that will be checked. And then we’re going to create an external dynamic list, and that external dynamic list will be held on the Ubuntu server, and that will be the second highest. So first we go to the custom list, check that, then the external dynamic list, and then the cache; the custom list is already in my management machine. I already have a list of URLs that I don’t want these users in the inside zone to access. And then I’ll import that list into my firewall and apply it under the security policy rule. And then we check it, we go to the inside zone, we test it, and then we go and create an external dynamic list in the Ubuntu server; it’s already created. We’re just going to call every five minutes and check that list, and then we’re going to apply it to the security policy rule. The thing about the external dynamic list is that you can update this list on an Ubuntu server or whatever server is housed in that list.
And then the fire will check it every five minutes or whatever you set it, but you don’t need to commit it.If you create a custom list, it’s abet more static and every time you have to commit it when there’s a change. Okay, in my management machine, I’m going to show you the list that I don’t want the users to access. So, for example, if I go here, this is the list of some websites, right? And as you can see in the custom list and on the external dynamic list, it does support user wild cards. Now next I will go to my firewall and show you two places where we can apply URL filtering.
We can apply URL filtering directly to the security policy rules. So, for example, if I select one rule I can go to, there’s a tab here for URL category, and I can apply it here. If I add URL categories here, they will become part of my match condition, and then we can either allow it or do whatever we want in the action settings that will be there: setup, loss, URLs, or we can create a URL under the objects, for example, security profiles. You can create URL filtering here, and once we create that in the URL filtering, we can apply it to this action. So if we go back to policies and this inside to outside, I can go under the action and then I got profile settings and then profile type I can apply it here URL filtering I can apply it here. The difference is that this will be applied to traffic that is already allowed under the security policy.
So, for example, if there’s permission here, then we can apply these security profiles. If it’s denied, obviously we are not applying any of these. Okay, I’m going to show you how to create it. The second way is to create the security profile. So we’re going to go here under the objects and create it in the security profile. Now, as you can see, we already have a default security profile for URL filtering. And like with the other ones, we can’t delete this, we can’t edit it, it’s only read only. And as we went before we just created our own run from the scratch. But this is the best way to copy this because it’s already categorized. And then we can edit the clone. So I’ll clone it, I just selected click clone and then just click okay. And then I’m going to edit the clone. So I’m going to click the clone and just change the name. Now I’m going to put them under the name. I’m going to put the Astrid URL filtering profile in place. Now I’m going to click “Okay,” because we’re not ready to do anything yet. So first of all, what we’re going to do is we’re going to create our own custom URL category. We’re going to go into custom objects and then create our own. And then we’re going to call this from the URL filter, and we’re going to call this a custom category, okay, on our custom category. So if under the objects, custom objects and then URL category here, I’m going to call that list that I showed you earlier, this list here, right? So I’m going to add a new one, and I’m going to call it Astrid’s custom URL. URLs. And we can have, after you type the description, we can have URL types as URL list or we can have a category match. For example, if I put “category match,” then I can add my different categories here. But I’m going to do it as a list. So I’m going to take off that and put it as a URL list, and then in the URL list, you can add them one by one. So you can put for example like this, so on.
But the best way to do it is actually to have a list either downloaded or made from scratch in the notepad. And then you can just import it here. So I imported and browsed, and it’s on the desktop here. So if I click on a desktop and then click on social media sites and open those, there we go. And I click OK, now you can see all those sites that were in that note pad. They just got updated on my custom URLs, so click OK here. Now I’ve created this custom URL, and I’m going to add this custom URL to my URL history. So if I go here and open the one that I just edited, the default one that I edited and the custom URL are going to appear. Here. You see this star? That’s a custom URL.
If we see a plus sign, that means, for example, that it’s an external dynamic list. So on my custom list, I’m going to mark those sites I’m going to mark as blocked, and then we have a user credential submission for that. I’m going to say Block as well. If I say site access block, then it’s going to automatically say this is blocked, and I’m done. I created my custom site for whatever sites I put there, and I edited the default cloned it. So I didn’t edit the default; I cloned the default, edited the clone, and put my custom URLs there and clicked OK. Now I have a URL filtering profile, and I’m going to go and add it to my security policy inside and outside this year. So I’ll click the in out security policy under the action I’ll put the profiles as my URL filtering profile I just created. There we go. This is my static URL system profile. And click okay; I’ll commit this, and then we’ll go and check it. So if you see if I just go further down. Now here, you can see we have a URL system profile. I’ll reset all these counters as well. Okay, commit, and then we go and test it.
Okay, now that the committee has completed its work successfully, we can go and check it. Okay, now I need to go to my inside zone machine, which is this VCA. I resume that, and if I go back to the firewall, I’m just going to show you that if anything suspicious or anything threatening of something occurs, we will see it under the monitor logs, and then we have URL history, and they should start appearing here. Okay, so let me go back to my inside machine, and I’m going to try and access some of the website. For example, the first website I’m going to access is, let’s say, Twitch TV, right? And then I’m going to access the other website. So the first one I can access is this one. So let’s see. Okay, so if I gave Twitch TV and as you can see it says web page blocked and the reason the category as with custom URL. So if I go back to my firewall and look at the monitor log URL filtering, I’ll update that and just see that, right? So this is where I am going. So as with custom URL and the URL from inside to outside and then web browsing. And as you can see, it says “block URL.” Now I can try to access the other one. So let me try and access Facebook, for example, and Facebook as well. I can’t reach it, but I don’t see the web page blocked. But if I go to my monitoring page and refresh it, it’s going to appear there, which means it’s actually working. You see the Facebook as well; it’s blocked (blocker), and I can try and access something else. So, for example, let’s say Twitter, and that’s being blocked as well. So if I go back and refresh the monitoring, there should be something from Twitter. Now there we go; Twitter is being blocked as well.
It’s just that we’re not seeing the blocked page message. Then I can try to access something that I’m not blocking. So if I go, for example, to Wikipedia, anything that’s fine is not being blocked. The next thing we’re going to do is actually have, for example, a diminished zone. I already have some websites that want to block some different websites. So for example, if you look down here, we have the websites Gizmodo, Life hacker, ABS, Forum, Reedit, and astrid.com. These are under the block list on the Demilitarized Zone server. So what we’re going to do is call on this list from my firewall. So the first thing to do is actually create the external dynamic list. So if I go to my firewall and I go to “object,” under the object I have an “external dynamic list,” which I’m going to create its, for example, create an ad, and I’m just going to call it Astrid. External dynamic list, block, block URLs, right? And the type is not an IP list; it’s actually a URL list. We can have the main, predefined IP list. But I have an URL list, and the source IP address is one nine two. If you look at the topology, 192.168.0.1 is the IP address of that server.
So 192168 510, and the path is called block list, text file. And with this external dynamic list, we’re going to check for updates every five minutes. And the good thing is, once we apply this, we can update the list, but we don’t have to commit anything to our firewall because that’s why it’s called a “dynamic list.” And click. OK. Here. Now we need to tell you how to access that dynamic server. So we need to go into server root configuration under device go setup and then services, we have service route configuration here’s if I go in there, this is by default going to use the management interface to access it, but we want to access it through an external dynamic list. It’s going to be accessed from port three, and that’s the IP address. So if you check that’s the port one three and that’s the IP address and click okay, now I’m going to go back into external dynamic list and just check it. There is communication. So if I open that and just test the source, Okay, the source is accessible. So now we can call on this external dynamic list. We can refer to it under our URL filtering. So if I click on the URL filtering, the one that I created it and you should see now with the plus it should be my external dynamic list. There we go with the external dynamic list.
If I show you again, these are the sites we can choose what we want to do with them. For the one that we created, the custom, the static, we said block for this. Let’s just say “continue.” Right? And for this user credential submission, I’ll say block for this. So we can say alert. Like for example, site access was alert, allow block, continue override and none alert will allow the site access, will generate a log message, allow not log and still allow site access, block site access, generate log message. The user has to press the Continue button to access that site, but it will generate a log message override. The user has to know the password to access the site, or it may be known depending on the signature. Okay, so I’m going to leave it to Continue, click okay, user credential state block okay. And the rest we leave is the same as it was. So click OK. And we’re going to just check it there. We have it in the inside-to-outside zone. So we have that policy here—the URL filtering profile—and all we need to do is commit it. Okay, now the commit has been successfully completed. Before we go and test it, we need to go to the object and just check that it’s been updated. So in an external dynamic list, I’ll have to look into the list I created and then list entries. Here you see it’s populated; they’ve communicated with the other side.
So everything is ready now. So we can go to check the monitor, we need to go to monitor log and URL filtering. And this is what we had before Twitter, Facebook, and all that. But let’s check, for example, the AVS forum. So I go to my client machine; she’s inside, in the inside zone, and let me try and access Avsforum.com. Okay, now we have web pages being blocked, but we have a username as an IP address; we don’t have a user ID yet. URL, they’ve been blocked in the category, but now we have an option to continue, press Continue to access. It wasn’t just blocking. So now we can actually continue; click Continue, and we have access to the ABS forum. So if I go back to my firewall and just check the monitoring, So go to monitor logs and URL filtering, and I’ll update it while it’s updated. And you can see the ABS forum is in here now. So we can see the block continuing and then continuing.
3. 6.3 URL Filtering using Admin Override Option
On this video, we are covering PCNSA 210, and this is our chapter on URL filtering. This is the third video of Chapter 6, which is six-three URL filtering using the admin override option. Now, URL admin override password, it is needed if you do want to access, for example, if you want to give access to admins to some website that are blocked for the rest of the users if they need to know the password, password. So the administrators need to know the password, and once they add it here, they will continue, they can press continue, and they can access the website. It will be logged. So the blocked URL is a continue, so we can see what the administrator accessed for the website as well as how to create a password. So first we need to create an administrator password, which is under the device set up.
Then we have to go to the content ID and then URL admin override and we added there we add our password SSL TLS service profile. And we have two modes. We have a transparent mode and we have a redirect mode. Transparent mode ensures that blocked pages appear to originate from the blocked website, and redirect mode ensures that blocked pages originate from the configured IP address or DNS hostname on the file. So this is the laptop we’ll be using to create an administrator override. And we already have a list in the custom list. In the first video, we looked at the custom list, and in this custom list, we put it as a block access. But what we’re going to do is change that from block to override overwrite. So the password is something they need to know; the administrator also needs to know the password to be able to access it. Okay, so the next thing is I’m going to access my firewall, and in this firewall, we already have an object with a URL category called “custom object.”
And on these ones I have imported them from my machine, which is already here. These are the categories listed here. Now for this I have called it this category, this custom object URL category, we called it under the URL filtering and under here’s if I opened my own profile, and you can see it under custom URL categories here, it would operate as a block. But we’re going to change this to override. And the override means that they need to know the administrator password to access it. Okay, I’ll leave this to a still block, for example, and click okay, but then first we need to grow and create that administrator override password, and that’s located under the device. And we go to setup and we have a content ID and then we have a URL administrator override and click add here. And we’re going to create a password, this password, which is going to be Palo Alto for this. But obviously you put more harder password and we have two options we have a transparent which it looks like the response page is coming from the actual website or redirect we can put an IPad dress where the website is coming from, leave it transparent and click OK URL filtering timers. So dynamic URL cache timeout in hours is the cache timeout is 168, the continue timeout is every 15 minutes. So, for example, if you press “continue,” it’s not going to ask you again for 15 minutes. The override is 15 minutes, and the administrator lockout timeout if you enter the wrong password is 30 minutes. So let’s shorten this and click okay. I’m going to go to my policies. Just check that it is applied under the policy.
So I click from the inside zone to the outside zone, and under the actions, I have a URL filtering profile. Now if I want to access, for example, say I’m just going to commit this, then we can go and check it. Now the commit has completed successfully, we can go and check its if I go to my client and I’m going to access, say, Twitch TV, okay, now it says your connection is not private and we need to click advance, and then we proceed with that. And now we have a blocked web page that is from the Asterisk custom URLs, and we need to know the password to be able to access it. And I need to put the password here, for example, and see now that I’m okay to access it. I go back to the URL filtering profile.
So I’m just going to open the one that I accessed. And we have an option here in the URL-filtering settings: we can say “Safe Search Enforcement.” This will be used to prevent sexually explicit content from appearing in the search results. We have a header login, user Agent refer and forward it for the user Credential detection. So we can identify and prevent in-progress phishing attacks by controlling the websites to which the user can submit corporate credentials based on the sites’ URL categories. And then we have an HTTP header insertion. This will enable to access only enterprise version of SAS application and we can add insert header if missing or overrides the existing header. For example, we have a drop box google Apps, Microsoft or YouTube safe search. And then, if you do want to categorize some websites, for example, in the URL filtering, say you wanted to categorize this website, you can always click on the magnifying glass. And on there we have under details you can have request categorization change. And once we click that, then after we fill this out, we can send it to the Palo Alto networks, and they will be able to recognize if it’s wrong.
4. 6.4 Lab URL Filtering
In this video, we are covering PCNSA 210, and this is our chapter on URL filtering. Now this is the fourth video of chapter six, which is 6.4 lab URL filtering. So everything that we learned in our chapter six, we’re just going to try and put it on this lambkin this lab, we’re going to configure and create a security policy rule with a custom URL category. Well, we already have of a security policy rule, but I’m going to edit that and I’m going to create custom URL category from scratch and I’m going toad it to the security policy rule. We’re going to configure an external dynamic list to point to it because we already have a dynamic list on our server, which is located in the demonstration zone. We’re going to configure our firewall to access that list, and we’re going to bring that list into our security policy rule and create a security policy rule with a URL filtering profile. And as we go, we’re going to check the log entries.
So this is the lap topology that we’ll be using to demonstrate URL filtering for you. We have already a security policy rule that allows the inside zone users to access at the outside zone. But what we’re going to do is edit that, but I’m going to clone it and create a custom URL rule. So a custom URL rule that will say if you’re trying to access some news sites, for example, we’re not going to allow the traffic, right? And we’re going to bring that site into our firewall. Then we already have a list here, and on the Ubuntu server, I have a list of websites that users shouldn’t be accessing, and we’re going to create an external dynamic list that the user firewall is going to check from the Ubuntu server and make sure that it’s updated or lost the list of not allowed websites. Okay? So if I go to the firewall and I’ll show you, there are two places you can actually configure URL filtering, right? So in there, you can go to the security policy rule and apply it directly to the security policy rule.
So for example, let’s take this into out and you can it has already a URL category and you can apply it here.You can add all URLs here, but this will become part of the security policy rule. Or if you already created a profile, then you can add it to the profile settings, but that will be added only after the action is set to allow. So I can add a profile, and then in profile types I can put URL filtering in here, right? I’ll show you both methods in this demonstration. So the first thing is we’re going to create an object, a custom URL category object, right? So I’ll go to objects, and we have custom objects, and you have the URL category here. Now what I’m going to do is create a new site that users shouldn’t be accessing.
I already have that in my just created here not pad. So I created some news sites that maybe users shouldn’t be accessing, and I’m going to import them into my custom URL category. So I’ll go to my firewall and click “add,” and in here I’m going to just give it a name. So as a custom URL category or category in the production, obviously you write the description; the type could be a category match. For example, like if I can add different categories they already downloaded or I can put a URL list. Now URL list, you can add them one by one or you can just import them, you could write in the notepad maybe you can download differential’s and you can just import them here.
So I’ll say import, and I’m going to browse; it’s located on the desktop. New sites click okay, now these sites and we’re going to set it in our security policy that users shouldn’t be accessing. So I click okay here and I go to my policies and on this policy into out what I’m going to do, I’m going to actually clone this policy and I’m going to put the clone on the top of it, which is not going to allow those sites. So clone this before the rule, and on the clone I’m going to edit the name. So I’m just going to put custom URL for example. And on the URL, on the URL category tab, I’m going to add the one that I just created, my custom URL category, which is this one here. And on the action I’m going to say on this I’m going to reset both the client and the server. Click OK here, and then I’m going to commit it, and then we’re going to go and test it.
Okay, now that the commit has completed successfully, we can go check it, and everything that we do is going to appear in the monitor logs and URL filtering. So here, let me just refresh—there shouldn’t be anything there. Okay, so now to test it, I’m going to go to my client machine, which is in my inside zone Picasso if I show you the lab, this is allowed to go to the outside zone. And we just created a new security policy rule that will deny access to the news sites and open a web browser. And the first thing I’m going to do is go and check BBC.com, for example, so I’ll put www.bbc.com, and it says okay, “This web page has been blocked,” and that’s my iPad address URL that’s blocking it, and the category is blocking it. I can check other websites, for example, Fox News, and that’s going to be the same, and I can check the other ones as well. For example, MSNBC For example, visit MSNBC.com. Whatever we put there is going to be blocked.
Okay, so now I can go to my firewall, and under the monitor log URL filtering, I’ll refresh that, and I should have some kind of log message. Here we go. The category is a custom URL category. This the list the new site is being blocked. Okay, that demonstrates for you how to create a custom category and apply it to a security policy rule. The next thing is that I’m going to create an external dynamic list. Well, we already have an external list, and that’s located on the Demetria zone server. So I have all these, for example, in the Life Hacker ABS forum, and I created Asterisk.com as well. I can create anything you want in there. So for example, to edit that file, I can just go to the file name, “blockvploc list text,” and I can just insert a new domain. Let me just put for example aspirin local as well. Okay, so if I do again cat block list and list and now we have all those websites.
So what we’re going to do is call this an external list hosted on my Dimitri Zone server. So I’m going to call, my firewalls going to call this list. But we have to configure an external dynamic list first, which is under the object. And an external dynamic list is here. And we already have a dynamic IP list, but we can create our own one, which is: I’ll click “add here,” and I’m going to call it a strict external DL for a dynamic list. And this is the URL list. And the IP address of the server, if I look in the topology, is 192168 510.So that’s the IP address: 192168 510.And it’s called blacklist text. Right. So we can check that on my Democratic server. So, blacklist text, we are going to check this list every five minutes and click OK.
Now that everything is okay, we need to configure a service route configuration. So to do that, we go to devices and setup, then content services, then service route configuration, and in here we have to customize that for external lists. Instead of using the management interface, we’re going to use the interface, which is the management interface. If you look at the topology, that’s the interface that’s actually going to communicate with the Ubuntu server, and click OK again. Now that we have configured service route configuration and we configured external dynamic list under the objects, we need to apply this into our security policy rule which I go to policies select the security and then say into out. Again, this is a custom URL, and under the URL categories, I’ll put it here, so I’ll add it, and you can see the external dynamic list is there as well. So I click OK and I’ll leave action to reset both the client and server. So anything on the external list will be reset on both the client and server. And you can see on the external list that this one is here.
Okay. And I click okay and I commit this and then we’ll go and test it. Okay, now the commit has been successfully completed. We can go and test it, and anything will appear under the monitor logs and URL filtering. So if I go to my client inside Machine and I’ll open a new site, a new page, and I’ll type ABS forum.com and you can see this is blocked now, but it’s from Astrid external Lathe ones before that were from the custom URL, and this is from an external DL, and we can do other ones. So, for example, Lifehacker.com is blocked as well. Anything that appears on that list, where do I have it? Here I can go to the monitor locks annul filtering and you can see that everything that we did so far, for example, ABS forum, Life, hacker, everything has been now reset for both. So we block the URL; the next thing we’re going to do is create a URL filtering profile, and then we’re going to apply that URL filtering profile in the policies.
So if I go to objects and I create a security profile, we have a URL filtering profile. This is we have a default one. We can create our new one from scratch, but the best option is to actually clone the default and then edit the clone. So I’ll clone the default, and then I’ll go to change the name. So I’ll call it the “asterisk clone” default URL profile. And you can see that, you can see that already the custom URL is there as well. And we can put the external dynamic listed there as well, or we can have our own one. So for example, let’s just say on the custom URL for this I want to do Continue and user Credential submission Continue. And for this, I want to overwrite a block for the user credential. Now for Continue, the user has to press Continue to access the next site.
And to override, the user needs to know the password or administrator password. So I click OK here, and we’re going to go create an administrator password for that override option. So to do that, I’ll need to go to “device” and then under “Setup Content ID.” And then you see I have a URL admin override. So I click “Add” and also put a password here. Now, if users know this password, they can access the website, whatever the website has been designed to do. Okay, let me just fix the password. Palo Alto. Palo Alto. Okay. And as you can see, there are two modes. You can have a transparent redirect or reroute. Redirect. You can put the IP address of a website that you want to page to peer or transparent. It looks like it’s appearing from wherever you’re trying to access it. And the next thing is URL filtering the times. So you see the timeout for dynamic cache, how many hours the timeout for Continue. So if somebody presses “continue once they don’t need to press it again, everything else will be continued.
So then put this in the “reduce it to a minute override option.” So once you enter a password once, how many times do you need to enter the password? If you go to a different website, click one, and then if the lockout time is for admin logouts, for example, the wrong password, how many, and if we have a different internal web server or database server, click one. Okay, so I’m going to apply these to our policies. So the policy that I created, the custom URL, this I’m going to disable and I’m going to apply filtering profile in the normal in to out. So let me put this above, and I’ll add that in there. And this will be applied under no particular URL category, but it will be applied under the action. And after the allowed traffic, we apply the profile settings, which are profiles. And then the URL says, “here.” Okay, now I’m going to commit that, and then we can go and check it. Okay, now that the committee has completed its work successfully, we can go and check it. And as you can see here, it shows that we are applying an URL filtering profile. Now the idea is the new sites, these ones you should have Continue option and the sites, they are located here, like for example As Forum and so on, as Forum and Life Hacker and so on, they should be able to have the Continue with the override password, right? Okay, so new sites, continue with AVS Forum with the password; let’s just go and check it. So I’ll refresh this. See, now I have a “continue” option. I can press Continue, and I can access it if I press Continue here.
Now these sites will say “Continue,” but they will do so automatically for a minute. I don’t need to press “Continue” again. They will just work. It’s like I press “Continue” for JAC, and the same goes for this as well. If I wait 1 minute, I’m going to have to press “Continue” again. this site and see if this one is working. Now all these are working. This site, AVS Forum, now should have the password “continue.” So if I refresh this and it says your connection is not private, advance in there and proceed to that website. And now you can see that he says you need to put the password in to continue. And if I do, I will be able to access that. And the password was: follow the administrative password, auto, and continue. And now for the other websites, for example Life Hacker and so on, if I refresh this, this is just going to automatically for a minute, I change the timer. Yeah, for 1 minute it’s going to just Continue for me. Okay, so I can go there to check the log. So monitor logs, URL filtering, and then I’ll update all this updating. Now you can see the Life Hackers Forum, for example, where it’s overridden. And this one block overrides and continues, for example, for news, and we had to press continue for BBC and so on. Fox News, and so on. That was a demonstration for you on how to configure URL filtering through security profiles. So.