How do I configure the URL Filtering policy?


How do I configure the URL Filtering policy?

Watch a video about URL Filtering Policy, including how to configure the URL Filtering policy

You can add a new URL Filtering rule from scratch or copy an existing rule and change its settings. To learn more about the recommended policy, see the recommended URL Filtering policy

By default, the Cloud App Control policy takes precedence over the URL filtering policy. The service applies the Cloud App Control policy to a web transaction before applying the URL Filtering policy. To change this setting and have the service apply the URL Filtering policy before the Cloud App Control policy, go to Advanced Settings and enable Allow Cascading to URL Filtering.

To add a URL filtering policy rule:

  1. Go to Policy > URL & Cloud App Control.
  2. Click Add URL Filtering Rule. You can also copy an existing rule by clicking the Duplicate icon.

The Add URL Filtering Rule window appears.

  1. In the Add URL Filtering Rule window, enter the URL Filtering Rule attributes:
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Rule Name: Enter a unique name for the URL Filtering rule or use the default name.
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
  2. Define the Criteria. You can either choose from the list or add an item. 
    • URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL super-categories and/or categories. You can also search for categories or click the Add icon to add a new custom category.
    • HTTP Requests: Select All to apply the rule to all HTTP requests, or select Post to apply the rule only to HTTP POST requests (for example, only if users try to post on social media sites or send emails through webmail).
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.

Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.

  • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
  • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  1. Select the Action for the rule.
  2. Click Save to exit the dialog and activate the change.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

  • Allow: Select this to allow access to all sites in the selected URL categories.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the URL category. To enforce the quota on specific users, groups, or departments, Zscaler recommends that IP surrogacy is used to aid in identification. See What is Surrogate IP?

      In addition, if you have different policies for different groups, Zscaler suggests that you create a catch-all "any" user policy with a higher limit. This catch-all policy should only apply to unidentified users (do not use "any" user to define "all remaining groups/departments"). This is helpful if you encounter a scenario where there are a high number of unidentified users as the users will have a higher combined limit, facilitating continuity of service.

      If a user comes from a known location, the quota is reset at midnight based on the location time zone; for remote users, the quota is reset based on the organization's time zone. The minimum value you can enter is 10 MB and the maximum value is 100,000 MB.

    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 minutes.
  • Caution: Select to display an EUN that cautions users before allowing them access to the site. When you select this value, the service can either display the default EUN or redirect users to an EUN that is hosted on the site you specify in the Redirect URL field.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the URL category. To enforce the quota on specific users, groups, or departments, Zscaler recommends that IP surrogacy is used to aid in identification. See What is Surrogate IP?

      In addition, if you have different policies for different groups, Zscaler suggests that you create a catch-all "any" user policy with a higher limit. This catch-all policy should only apply to unidentified users (do not use "any" user to define "all remaining groups/departments"). This is helpful if you encounter a scenario where there are a high number of unidentified users as the users will have a higher combined limit, facilitating continuity of service.

      If a user comes from a known location, the quota is reset at midnight based on the location time zone; for remote users, the quota is reset based on the organization's time zone. The minimum value you can enter is 10 MB and the maximum value is 100,000 MB.

    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 minutes.
    • Redirect URL: (Optional) Leave the field blank to display the service's default notification. If you want to redirect users to a site that hosts a custom notification, enter the site URL. The URL requires the schema (for example, https://redirect.company.com/redirectpage.cgi) and can be HTTP or HTTPS. During the redirection, all query parameters are sent to the external site to enable notification customization.
  • Block: Select to block access to all sites in the selected URL categories.
    • Allow Override appears when you select Block. Enable this option to allow specific users or groups to access the blocked site. The EUN will contain a link that the users can click to access the blocked page.
      • Override Users: Select Any to allow the override to all users, or select up to 4 users. You can search for users or click the Add icon to add a new user. You cannot select users if you want to select override groups.
      • Override Groups: Select Any to allow the override to all groups, or you can select up to 8 groups. You can search for groups or click the Add icon to add a new group. You cannot select groups if you want to select override users.
    • If you choose not to allow an override, the service blocks access and displays a notification. The service can either display the default EUN or redirect users to an EUN that is hosted on the site you specify in the Redirect URL field.
      • Redirect URL: (Optional) Leave the field blank to display the service's default notification. If you want to redirect users to a site that hosts a custom notification, enter the site URL. The URL requires the schema (for example, https://redirect.company.com/redirectpage.cgi) and can be HTTP or HTTPS. During the redirection, all query parameters are sent to the external site to enable notification customization.
  • Description: (Optional) Enter additional notes or information. The description cannot exceed 10,240 characters.