Through URL filtering, you can limit your exposure to liability by managing access to web content based on a site's reputation. The URL filtering policy consists of rules that you define. When you add a rule, you specify criteria, such as URL categories, users, groups, departments, locations, and time intervals. There is also a recommended policy for URL filtering.
By default, the Cloud App Control policy takes precedence over the URL filtering policy. The service will apply the Cloud App Control policy to a web transaction before applying the URL Filtering policy. To change this setting and have the service apply the URL Filtering policy even if it has already applied a Cloud App Control policy, go to Advanced Settings and enable Allow Cascading to URL Filtering.
To allow granular control of filtering, the service organizes URLs into a hierarchy of categories. There are six predefined classes, which are then each divided into predefined super-categories, and then further into predefined categories. The six predefined classes are:
You can limit access at the super-category level or drill down further into categories, depending on the needs of your organization. In addition to the predefined categories, you can create custom categories. Custom categories can be based on URLs and keywords. With custom URLs, you can block specific websites and with custom keywords, you can block websites based on any words that might appear in a URL. For example, imagine you want to block all websites with the term "gambling" appearing anywhere in the URL. If you create a category with the custom keyword "gambling" and use it in a policy set to block, websites such as www.gambling.com and www.gambling101.com will be blocked. You can also add custom URLs and keywords to a predefined URL category.
To ensure that even the newest URLs in your chosen categories are effectively blocked, the service leverages an extensive database that is updated daily with feeds from various partners (for example, Google Safe Browsing). When any given URL is not already covered by the database, the Zscaler service uses its Dynamic Content Classification (DCC) engine to scan the page for any content that would place it in the predefined Legal Liability class. The URL is then classified and the original request for the page is handled according to your organization’s policy for URLs in that class. To use this feature, ensure that Dynamic Content Classification is enabled.
For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?
You can create rules that block or caution users and associate them with specific End User Notifications (EUNs). For example, your organization has two networks and they each have a web server that hosts a EUN. You can create two different rules that redirect users to the appropriate EUN.
The EUNs that you specify in the rules take precedence over the default EUN that you configure in the Administration > End User Notifications page. Therefore, when a user is blocked or warned due to a rule that is associated with a EUN, the service displays the EUN associated with the rule and not the default EUN.
When you configure a rule, you can specify one of the following actions:
Additionally, you can allow some users or groups to override the block with the Allow Override option. For example, you can block students from going to YouTube, but allow the teachers. Teachers will be prompted to enter their override password. This is their login password if your organization uses a one-time token or hosted database without SAML or their system password if your organization uses AD/OpenLDAP or SAML for authentication. You can also send the override password through email. Permitted users will be allowed to access the blocked page only during their current browser session. They will be required to re-authenticate when they try to access it in another browser session.