Which Statement is True About a Url Filtering Profile  Continue Passwor

Examining a URL Filtering profile

KB0012862  -  Latest Version

6.0 - Updated on 2022-09-02 by itsm kb_api

5.0 - Updated on 2022-04-01 by itsm kb_api

4.0 - Updated on 2022-03-10 by itsm kb_api

3.0 - Updated on 2020-01-24 by itsm kb_api

2.0 - Updated on 2019-04-10 by Admin Michael Baldwin

1.0 - Authored on 2019-04-10 by John Ives

The Information Security Office (ISO) create a number of security profiles that individual departments can use in their own environment. In order to understand the settings associated with these profiles and to evaluate them for local use, it is best to review the profiles is by looking at the settings themselves. Below are the steps that would be necessary to examine the settings of a URL Filtering profile.

PLEASE NOTE: The misuse of URL Filtering profiles may have privacy implications. If anyone is considering creating a custom URL Filtering profile that blocks or alerts on any of the categories other than command-and-control, malware, phishing, threat-malicious_URLs, and ucbsec-URLs  they should speak with ISO and the privacy office prior to implementation.

1. Log into https://panorama.net.berkeley.edu using single sign-on
2. From the tabs at the top of the window chose "Objects"
3. Under "Security Profiles" in the left pane choose "URL Filtering"
   
4. From the list of "URL Filtering" profiles in the main window, select the one that you are interested in examining. For this example we will look at the ucbsec-campus_standard (this has been replaced by the ucbsec-url_filter profile). Opening the profile, the first thing you will notice is the list of URL categories as well as the firewall behavior if a systems attempts to access a site in that category or attempts to submit valid user credentials to a site in that category. Valid credentials are detected via a connection between the Palo Alto Firewalls and Active Directory and at this time are not enabled, however this document will still go over that in case it is enabled in the future.
   (NOTE: For this image, the categories were sorted so that all of blocked categories are all gathered at the end of the list.)
   
   • In looking at this, there are 5 categories that are being blocked for access: command-and-control (which are used to manage bot networks), malware, phishing, Ransomeware, and ucbsec-URLs_threats. The first four are provided by Palo Alto Networks as part of our subscription services. The final category ucbsec-URLs_threats is managed by ISO and will be a place that we can add sites that we find targeting our users directly since they may or may not appear in any of the other lists.
   • While the option to block or allow a category is obvious, there are six total options that can be configured:
     • Alert - This will generate an alert, but still allows the traffic to pass
     • Allow - This lets the traffic through and does not log anything
     • Block - As the name implies it blocks the traffic
     • Continue - This generates a page telling the user that there is a potential problem with the page, but allowing them to continue on to the page if they want to
     • Override - Like the continue option this generates a page, but allows the user to continue to the page, but only after supplying a password. The design of this feature is not very flexible because there is one password that is used for the entire firewall. As such it is not an option that we anticipate using on the campus at this time.
     • None - This option is only available for the custom URL categories like threat-malicious_URLs, and ucbsec-URLs. It allows someone to ignore that category in the URL filter while using it in policies instead. This is something we do not expect to use on the campus network.
   • From the Overrides tab it is possible to see any URLs that are allowed or blocked regardless of the classification. In this example, the URLs for imap.google.com, www.gmail.com, smtp.gmail.com and gmail.com are all in the "Allow List." As a result if any of them were ever, inadvertently, marked as belonging to one of the blocked categories, users would still be able to access them. Similarly, there is a "Block List" window that can be used to block/alert/etc. any URL regardless of its classification.
     
   • The "URL Filtering Settings" have to do with both logging and Safe Search settings. The Logging related settings, determine what information is logged about the URL request and are configured to capture the least amount of information we feel is necessary to track down the cause in the event of a problem. The "Safe Search Enforcement" option is used to block search queries unless the strictest settings are for "Safe Search" are used. Safe search are intended to weed out possibly offensive material such as adult images.
     
   • The settings under the "User Credential Detection" tab attempt to determine if a user is, or may be submitting their credentials to a site. This check is looking for phishing and possibly credential reuse. There are three possible ways it can do this:
     
     • IP User - Check if the username matches that of the user mapped to the IP address of that computer
     • Group Mapping - Checks if the username is a valid username for anyone it knows about
     • Domain Credential - Check if supplied username AND password are the same as the person who is mapped to that IP address.

     Of these three, the one that we are interested in deploying is the Domain Credential option, however there are a number of issues that will have to be addressed before we can proceed.
     

5. To exit out of this, click the "Cancel" button to return to the list of URL Filter profiles.

More information about URL Filter profiles can be found at:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-url-filtering

hollidayagrad1954.blogspot.com

Source: https://berkeley.service-now.com/kb_view.do?sysparm_article=KB0012862

Share this post