6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories

Information

Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organization-such as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add 'unknown' and 'dynamic-dns' to this list, at the expense of some support calls on those topics.

Rationale:

Certain URL categories pose a technology-centric threat, such as command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Users visiting websites in these categories, many times unintentionally, are at greater risk of compromising the security of their system. Other categories, such as adult, may pose a legal liability and will be blocked for those reasons.

Impact:

Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.

Solution

Navigate to Objects > Security Profiles > URL Filtering.
Set a URL filter so that all URL categories designated by the organization are listed.
Navigate to the Actions tab.

Set the action to Block.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|7.4, CSCv7|7.5

Plugin: Palo_Alto

Control ID: 3bcfabd086431440ca2586c2d3df0c69d27a25a1f5d43f181671ebd6bd1f939f