Skip to main content
Versa Networks

Configure Custom URL-Filtering Profiles

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

URL-filtering profiles enforce actions on HTTP flows based on URL category and URL reputation. You can use predefined URL-filtering profiles, and you can create custom profiles that you can use when configuring internet protection rules. You can use custom URL-filtering profiles for devices that are connected to a Secure Web Gateway (SWG) and want to send traffic to the internet. You can use a single URL-filtering profile with one or more internet protection rules. URL filtering processes any traffic that matches an internet protection rule in a URL-filtering profile. Any logs that are generated are sent to the logging profile associated with the URL-filtering profile.

This article describes how to configure custom URL-filtering profiles and how to view URL categories.

Configure Custom URL-Filtering Profiles

In URL-filtering profiles, you can create allow lists and deny lists of URLs.

The URL-filtering profile processes enforceable actions for a session in the following order:

  • Deny-listed URLs—Specify either fixed strings or regular expression (regex) patterns to match deny-listed URLs. Specify the deny list action to take for all matching HTTP flows. If you do not configure a deny list action, the default action is taken, which is to drop the session.
  • Allow-listed URLs—Specify either fixed strings or perl-compatible regular expression (PCRE) patterns to match allow-listed URLs. URLs that match the allow list configuration are allowed, and no security actions are taken. Optionally, you can enable logging to create a log of allow-listed URLs.
  • Category action map—Create a set of rules that specify the URL-filtering action to take for each URL category that is associated with a URL. In each rule, you can specify one or more predefined or custom URL categories. The action can be a packet or session action, or a predefined or custom captive portal action. VOS devices evaluate URL category and URL reputation action rules simultaneously, and they enforce the more severe action. For example, if the category rule action is to block and the reputation rule is to allow, the block action is taken.
  • Reputation action map—Create a set of rules that specify the URL-filtering action to take for each URL reputation that is associated with the URL. In each rule, you can specify one or more URL reputation values. The action can be a packet or session action, or a predefined or custom captive portal action. Note that while using URL reputations in an access policy or for profile evaluation, VOS uses the higher risk score between the predefined and user-defined reputation results. If predefined categorization is unavailable, VOS uses user-defined reputation (if configured) for a URL. If both are unavailable, VOS assigns the default reputation 'suspicious' to the URL.

If this evaluation does not determine an action, the default action configured for the URL-filtering profile is taken.

Release 12.2.1 supports two new built-in URL filtering profiles, GenAI_Firewall and Versa_Reputation_Analysis. A built-in profile is predefined in Concerto. You can use it without modification, or you can clone and modify it. To use a built-in profile, SASE needs to be enabled on the tenant and the tenant needs to have VSIA solution tier.

The GenAI_Firewall profile is automatically generated when you publish a tenant, but is disabled. If you enable the GenAI_Firewall rule, you can treat it as you would any user-defined URL category; you can modify, reorder, move, and delete the rule. If you delete the GenAI_Firewall rule and then republish the tenant, the rule is created again. 

Note: If you want to delete the GenAI_Firewall rule, first delete it from the internet protection rules list. See Configure SASE Internet Protection Rules.

The GenAI_Firewall profile does not specify any match criteria. If you do not add match criteria, all traffic will hit the first rule and be sanctioned, and will never hit any subsequent rules.

The Versa_Reputation_Analysis profile is a predefined URL filtering profile that matches the following reputations:

  • Versa_Sanctioned
  • Versa_Moderate
  • Versa_Unsanctioned

To configure new custom URL-filtering profiles:

  1. Go to Configure > Real-Time Protection > Profiles:

    Profile-left-nav-v2-border.png

    The following screen displays:

    Note: In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.

    url-filtering-v3-border.png
     
  2. To customize which columns display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default columns settings.

    select-columns-url.png
  3. Click the add-icon-blue-on-white-22.png Add icon to create a rule. The Create URL Filtering screen displays with Deny and Allow List selected by default. By default, all fields are configured. You can customize the actions and URLs to enforce by entering the following information in the Deny and Allow List section. Enter information for the following fields.

    create-URL-filtering-v2-full.png
     
    Field Description
    Deny List (Group of Fields)  
    • Action

    Select the action to apply to the URL filter:

    • Alert—Allow the URL and generate an entry in the URL-filtering log.
    • Allow—Allow the URL without generating an entry in the URL-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the URL and generate an entry in the URL-filtering log. No response page is display, and the user cannot continue with the website.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of no response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of no response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of no response from the server or because a firewall blocked access to the website.

    Note that all actions except Allow generate an entry in the URL-filtering log.

    Click add-icon-blue-on-white-22.png Add New to create a new security action. For more information, see the Configure Custom Security Actions section in Configure SASE User-Defined Objects.
    • Patterns
    		 Add specific URL patterns to block. You can specify a fixed string or a perl-compatible regular expression (PCRE). Click theadd-icon-blue-on-white-22.png Add icon to add more patterns. See Configure SASE User-Defined Objects for more information.
    • Strings
    		 Enter the complete URL string of a URL to block.
    Allow List (Group of Fields)  
    • Patterns
    		 Enter specific URL patterns to allow. You can specify a fixed string or a PCRE. Click the add-icon-blue-on-white-22.png Add icon to add more patterns.
    • Strings
    		 Enter the complete URL string of a URL to allow.
    • Enable Logging
    		 Click to send the log information about the listed URLs to Versa Analytics.

     
  4. Click Next to go to the Category and Reputations List screen and enter information for the following fields. You can specify a category or a reputation, or both.
     
    create-url-filtering-profile-categories-reputations.png
     
    Field Description
    Select Category List (Group of Fields) Specify what action to enforce for the selected URL categories. Click the add-icon-blue-on-white-22.png Add icon to specify multiple categories and actions.
    • Action

    Select the action to enforce on a specific URL category match:

    • Alert—Allow the URL and generate an entry in the URL-filtering log.
    • Allow—Allow the URL without generating an entry in the URL-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the URL and generate an entry in the URL-filtering log. No response page is display, and the user cannot continue with the website.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of no response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of no response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of no response from the server or because a firewall blocked access to the website.

    Note that all actions except Allow generate an entry in the URL-filtering log.
    • URL Category

    Select one or more predefined or user-defined URL categories on which to take the specified action.

    Click the add-icon-blue-on-white-22.png Add New icon to add more URL categories. See the Configure Custom URL Categories section in Configure SASE User-Defined Objects for more information.
    Select Reputation List (Group of Fields) Specify what action to enforce for the selected reputations. Click the add-icon-blue-on-white-22.png Add icon to specify multiple reputations and actions.
    • Action

    Select the action to enforce on a specific URL category match:

    • Alert—Allow the URL and generate an entry in the URL-filtering log.
    • Allow—Allow the URL without generating an entry in the URL-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the URL and generate an entry in the URL filtering log. No response page is display, and the user cannot continue with the website.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of no response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of no response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of no response from the server or because a firewall blocked access to the website.
    • Note that all actions except Allow generate an entry in the URL-filtering log.
    • Reputation

    Select the reputation on which to take the specified action. The options are:

    • Trustworthy
    • Low_risk
    • Moderate_risk
    • Suspicious
    • High_risk

    Click the add-icon-blue-on-white-22.png Add icon to add more reputations.
      The list of predefined URL categories is as follows:
     
    abortion abused_drugs adult_and_pornography alcohol_and_tobacco auctions
    bot_nets business_and_economy cdns cheating computer_and_internet_info

    computer_and_internet_

    security

    		 confirmed_spam_sources cult_and_occult dating dead_sites
    dns_over_https dynamic_comment educational_institutions entertainment_and_arts fashion_and_beauty
    financial_services food_and-dining gambling games generative_ai
    government gross hacking hate_and_racism health_and_medicine
    home_and_garden hunting_and_fishing illegal image_and_video_search internet_communications
    internet_portals invalid job_search keyloggers_and_monitoring kids
    legal local_information low_thc_cannabis_products malware_sites marijuana
    military motor_vehicles music news_and_media nudity
    online_greeting_cards open_http_proxies parked_domains pay_to_surf peer_to_peer
    personal_sites_and_blogs personal_storage

    philosophy_and_political_

    advocacy

    		 phishing_and_other_frauds private_ip_addresses
    proxy_avoid_and_anonymizers questionable real_estate recreation_and_hobbies reference_and_research
    religion search_engines self_harm sex_education shareware_and_freeware
    shopping social_network society spam_urls sports
    spyware_and_adware stock_advice_and_tools streaming_media

    swimsuits_and_intimate_

    apparel

    		 training_and_tools
    translation travel uncategorized unconfirmed_spam_sources violence
    weapons web_advertisements web_based_email web_hosting_sites  
  5. Click Next to go to the Actions screen, and then enter information for the following fields. If you do not specify an action in the category and reputation lists, the default action is taken.

    To create a new security action, click add-icon-blue-on-white-22.png Add New. For information, see Configure SASE User-Defined Objects.

    URL-filtering-default-actions-v2-border.png
     
    Field Description
    Action

    Select the action to enforce on a specific URL category match:

    • Alert—Allow the URL and generate an entry in the URL-filtering log.
    • Allow—Allow the URL without generating an entry in the URL-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the URL and generate an entry in the URL filtering log. No response page is display, and the user cannot continue with the website.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of no response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of no response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of no response from the server or because a firewall blocked access to the website.

    Note that all actions except Allow generate an entry in the URL-filtering log.

    Click add-icon-blue-on-white-22.png Add New to specify additional actions. See Configure SASE User-Defined Objects for more information about configuring security options.
    Decrypt Bypass

    Click to enable decrypt bypass, which disables decryption of SSL traffic that matches the predefined captive portal actions for this URL filtering profile after captive portal redirection. The decryption policy decrypts SSL sessions to display only the captive portal response. After the captive portal action is performed, SSL decryption is bypassed, and users can directly access the URL. To disable decryption for traffic matching a custom action, select a custom action (Default action) and select Decrypt-Bypass.

    If you do not select the Decrypt Bypass option, SSL decryption is enabled and URL filtering uses the host and URI of the actual URL for categorization. This action further decrypts captive portal redirection from actions such as Ask and Justify.
    Cloud Lookup State Click to enable cloud lookup. If the cloud lookup state is not enabled for this profile, it is inherited from the tenant VOS device.
    (Releases 11.4.1 and earlier) Enable Logging Click to send log information to Versa Analytics.
  6. Click Next to go to the Review and Submit screen.

    URL-filtering-review-and-submit-v3-full-border.png
     
  7. In the General section, enter a name for the URL-filtering profile and, optionally, a description and tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
  8. For all other sections, review the information. If you need to make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  9. Click Save.

Lookup and Display URL Categories and Reputations

For Releases 12.1.1 and later.

You can look up and display the category and reputation for a URL in the database of URLs.

To display information about a URL:

  1. Go to Configure > Real-Time Protection > Profiles > Filtering Profiles > URL Filtering.

    Note: In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.
     
  2. Click look-up-icon.png Lookup URL Category.

    URL-Filtering-Lookup-URL-Category-v2-border.png
  3. In the Look Up URL Category popup window, enter information for the following fields.

    Lookup-URL-category-border.png
     
    Field Description
    Gateway Name Select the gateway to use to look up the URL category.
    URL Enter the URL for which you want to look up the URL category. For example, www.google.com.
  4. Click Lookup. The Look Up URL Category popup window displays the following information about the URL:
    • URL
    • Reputation
    • Category

      URL-Lookup-Category-results-v3-border.png
       
  5. Click Close.

Note: You can also display URL categories from the Configure > Security Service Edge > Settings > URL and IP Reputation Lookup screen. See Configure URL and IP Reputation Lookup for more information.

Supported Software Information

Releases 11.1.1 and later support all content described in this article, except:

  • Release 12.1.1 adds support for looking up the category of a predefined URL. Fields in Create URL Filtering Profile screen display on a single screen and not sections.
  • Release 12.2.1 supports two new built-in internet protection profiles, GenAI_Firewall and Versa_Reputation_Analysis; supports a revised UI design for the URL Lookup and IP Reputation tool.
  • In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.