Altaware, Inc.

Enterprise Networking & Security Solutions

Stacks Image 2155


Palo Alto Networks

URL Filtering


Palo Alto Networks includes and optional feature license to enable URL filtering. Unlike other competitive offerings that are user based, this is licensed on a per chassis chassis which offers amazing price savings and fully protects all users. URL filtering is based upon both a locally cached large database (1 million URLs in cache and 20 million on-box) for performance and hosted / cloud based support using Brightcloud for full URL filtering protecting of over 180 million URLs.

Select Palo Alto Networks URL filtering from us as a viable and cost effect alternative to Websense Enterprise or Websense Express. URL filtering from us is licensed by the chassis (unlimited users) and not per seat making it a more affordable alternative. URL filtering works in conjunction with User-ID for user based and/or group policy setting.

Stand-alone URL filtering solutions are insufficient control mechanisms because they are easily bypassed with external proxies (PHproxy, CGIproxy), circumventors (TOR, UltraSurf, Hamachi) and remote desktop access tools (Yoics!, RDP, SSH).

Capabilities include:
  • Blocked sites.
  • Allowed sites.
  • Blocking of proxy sites.
  • Ability to block: porn, nudity, gambling, weapons, anonymizers.
  • Numerous categories (76).
  • Only allow appropriate sites.
  • Time based schedules.
  • Ability to allow coached access including optional user override with a continue button or via a password control.
  • User and/or group based policies via Active Directory, eDirectory or LDAP.
  • Facilitate SSL decryption policies such as “don’t decrypt traffic to financial services sites” but “decrypt traffic to blog sites”.
  • Customizable URL database and categories.
  • On box reporting without separate servers and databases to maintain!

URL Activity Reporting and Logging


A set of pre-defined or fully customized URL filtering reports provides IT departments with visibility into URL filtering and related web activity including:

User activity reports

An individual user activity report shows applications used, URL categories visited, web sites visited, and a detailed report of all URLs visited over a specified period of time.

URL activity reports

A variety of top 50 reports that display URL categories visited, URL users, web sites visited, blocked categories, blocked users, blocked sites and more.

Real-time logging

Logs can be filtered through an easy-to- use query tool that uses log fields and regular expressions to analyze traffic, threat or configuration incidents. Log filters can be saved and exported and for more in-depth analysis and archival, logs can also be sent to a syslog server.
PAN URL - FAQs
  1. How does Palo Alto Networks compare to Websense? (Palo Alto Networks versus Websense) [+]
    Lets start with the basics, both do URL filtering. Both support using categories to allow or disallow access (e.g. nudity, gambling, etc.) Palo Alto Networks (PAN) is complemented with a cloud service for dealing with less common URLs beyond the millions maintained on the chassis.
    - You pay a single recurring license for the chassis, no per user fees (translation: you save money now and later)
    - You don't need a separate reporting system for the database
    - No OS backups, database backups to worry about
    - No Windows or other OS patches to deal with
    - Web 2.0 is more about applications than URLs, you get a single pass high-speed solution that adds next generation application awareness
    - HA for High Availability, sure, of course
    - You can support remote user policy control with PAN Global Protect
    - PAN includes decryption to further deal with evasion
    - PAN includes data filtering capabilities
    - User tracking, of course
    - Log support on device and off with syslog
    - Deployment options include span/mirror port, inline virtual wire, layer 2 and layer 3. You can even mix and match and with lots of ports.
  2. How about CIPA concerns? [+]
    Yes, covered. Find out more.
  3. What are my policy options? [+]
    Allow - Allow without logging
    Alert - Allow and log
    Continue (coached access) - Notify the user that perhaps this site might be inappropriate and allow them to continue and log that
    Override - Password override option.

    Policies can be defined by user, group membership, IP address, schedules (time of day), applications, ports. It allows site whitelisting and blacklisting.
    You can even define QoS (Quality of Service) restrictions.
Palo Alto Networks is all about performance using a single pass design to only inspect the traffic once for firewall policy, threats / malware, application identification, data content matching and URL filtering. This avoids additional latency imposed by other solutions including competitive UTM offerings.