Palo Alto Networks® firewalls identify and control applications, regardless of port, protocol, encryption (SSL or SSH) or evasive characteristics.
Deep Discovery Director (Internal Network Analytics Version) generates IPv4, domain, and URL suspicious objects that can be downloaded to the URL category of Palo Alto Firewall or Palo Alto Panorama™ as match criteria to allow for exception-based behavior.
Use URL categories in policies as follows:
-
Identify and allow exceptions to general security policies for users who belong to multiple groups within Active Directory
Example: Deny access to malware and hacking sites for all users, while allowing access to users that belong to the security group.
-
Allow access to streaming media category, but apply quality of service policies to control bandwidth consumption
-
Prevent file download and upload for URL categories that represent higher risks
Example: Allow access to unknown sites, but prevent upload and download of executable files from unknown sites to limit malware propagation.
-
Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypt and inspect traffic to all other URL categories.