About URL Filtering

About URL Filtering

Through URL filtering, you can limit your exposure to liability by managing access to web content based on a site's reputation. The URL filtering policy consists of rules that you define. When you add a rule, you specify criteria, such as URL categories, users, groups, departments, locations, and time intervals. There is also a recommended policy for URL filtering.

By default, the Cloud App Control policy takes precedence over the URL filtering policy. The service will apply the Cloud App Control policy to a web transaction before applying the URL Filtering policy. To change this setting and have the service apply the URL Filtering policy even if it has already applied a Cloud App Control policy, go to Advanced Settings and enable Allow Cascading to URL Filtering.

To allow granular control of filtering, the service organizes URLs into a hierarchy of categories. There are six predefined classes, which are then each divided into predefined super-categories, and then further into predefined categories. The six predefined classes are:

  • Bandwidth Loss
  • Business Use
  • General Surfing
  • Legal Liability
  • Productivity Loss
  • Security Risk

You can limit access at the super-category level or drill down further into categories, depending on the needs of your organization. In addition to the predefined categories, you can create custom categories. Custom categories can be based on URLs and keywords. With custom URLs, you can block specific websites and with custom keywords, you can block websites based on any words that might appear in a URL. For example, imagine you want to block all websites with the term "gambling" appearing anywhere in the URL. If you create a category with the custom keyword "gambling" and use it in a policy set to block, websites such as www.gambling.com and www.gambling101.com will be blocked. You can also add custom URLs and keywords to a predefined URL category. 

To ensure that even the newest URLs in your chosen categories are effectively blocked, the service leverages an extensive database that is updated daily with feeds from various partners (for example, Google Safe Browsing). When any given URL is not already covered by the database, the Zscaler service uses its Dynamic Content Classification (DCC) engine to scan the page for any content that would place it in the predefined Legal Liability class. The URL is then classified and the original request for the page is handled according to your organization’s policy for URLs in that class. To use this feature, ensure that Dynamic Content Classification is enabled.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

Associating Rules with EUNs

You can create rules that block or caution users and associate them with specific End User Notifications (EUNs). For example, your organization has two networks and they each have a web server that hosts a EUN. You can create two different rules that redirect users to the appropriate EUN.

The EUNs that you specify in the rules take precedence over the default EUN that you configure in the Administration > End User Notifications page. Therefore, when a user is blocked or warned due to a rule that is associated with a EUN, the service displays the EUN associated with the rule and not the default EUN.

When you configure a rule, you can specify one of the following actions:

  • Allow: The service allows access to the URLs in the selected categories. You can still restrict access by specifying a daily quota for bandwidth and time. For example, you can allow your users to access Entertainment and Recreation sites, but restrict the bandwidth allowed for these sites so they don't interfere with business-critical applications. The daily time quota is based on the time that the rule is created. For example, if the rule is created at 11 a.m. PST, then the quota is renewed at 11 a.m. PST the next day.
  • Caution: When a user tries to access a site, the service displays a Caution notification. You can use the system-defined notification, customize the text, or create your own notification and direct users to it. See image.
  • Block: The service displays a Block notification. You can use the system-defined notification, customize the text, or create your own notification and direct users to it. See image.

Additionally, you can allow some users or groups to override the block with the Allow Override option. For example, you can block students from going to YouTube, but allow the teachers. Teachers will be prompted to enter their override password. This is their login password if your organization uses a one-time token or hosted database without SAML or their system password if your organization uses AD/OpenLDAP or SAML for authentication. You can also send the override password through email. Permitted users will be allowed to access the blocked page only during their current browser session. They will be required to re-authenticate when they try to access it in another browser session.
See image. 

  1. Configure a URL Filtering policy rule. To learn more, see Configuring the URL Filtering Policy 
  2. Click Recommended Policy to view the policy Zscaler recommends. 
  3. View a list of all configured URL Filtering policy rules. 
  4. Edit or duplicate a URL Filtering policy rule. To learn more, see How do I edit, delete, or duplicate items in the admin portal?
  5. Modify the table and its columns. To learn more, see How do I use tables in the admin portal?
  6. Search for a URL Filtering Rule.
  7. Click the Cloud App Control Policy tab to configure Cloud App Control policies. To learn more, see About Cloud App Control
  8. Click the Advanced Policy Settings tab to configure advanced URL policy settings. To learn more, see Configuring Advanced URL Policy Settings

Screenshot of URL Filtering Policy page showing buttons and list used to manage URL rules 

 Screenshot of caution notification for Zscaler end users trying to access a site

Screenshot of block notification for Zscaler end users trying to access a blocked site

 Screenshot of caution notification highlighting override option for Zscaler end users