Palo Alto Networks Knowledgebase: Configure URL Admin Override

Configure URL Admin Override

Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:51 PM
URL Filtering

 For Credential Filter Detection

User Credential Submission = continue


In some cases, there may be URL categories that you want to warn users about credential detection instead of blocking outright. In these cases, you would want to present a splash page to warn the user but allow the user to continue forward. In this case, you would set the user credential submission action to continue. When users attempt to browse to the category, they will be presented with a splash page alerting them to their detected user credential, but allowed to continue if they choose. Use the following procedure to configure User Credential Submission where the action is continue:


Step 1:

Create a management profile to enable the interface to display the URL Filtering Continue and Override Page response page:

  1. Select Network > Interface Mgmt and click Add.
  2. Enter a Name for the profile, select Response Pages AND any additional services you require (ping), then click OK.Picture1.png


Create the Layer 3 interface OR use an already existing interface (i.e. the firewall's internal interface). Be sure to attach the management profile you just created (on the Advanced > Other Info tab of the Ethernet Interface dialog).

Picture2.pngThe above picture is my firewalls internal interface

Step 2:

(To avoid certificate errors use a certificate signed by a trusted CA in the organization). The certificate should be created following these parameters:

  1. The common name must be the DNS hostname of the internal interface/some other interface of the firewall, or it must be the internal interface ip address/some other interface ip address of the firewall. (It must match what you configure in Step 5 point 6).
  2. A SAN for the IP address for step a must also exist on the certificate.
  3. Import the certificate and private into the firewall.
    Picture3.pngmy firewall internal interface doesn’t have a corresponding DNS name so I have to use the ip address of the interface directly as the CN and the SAN

Step 3:

  1. Select Objects > security profiles> URL Filtering and either select an existing URL filtering profile or Add a new one.
  2. On the Categories tab, set the User Credential submission action to “continue” for each category that requires a warning splash page.
  3. Complete any remaining sections on the URL filtering profile then click OK to save the profile.Picture4.pngIn the above picture I have set the user credential submission action to “continue” for shareware-and-freeware sites

Step 4:

  1. Create a SSL/TLS Service Profile from Device -> Certificate Management -> SSL/TLS Service Profile
  2. Click Add.
  3. Give it a name.
  4. Select the certificate imported from Step 2.
  5. Use TLSv1.2 as minimum version for optimal security settings unless lower TLS is required.

Step 5:

  1. Select Device > Setup > Content ID.
  2. In the URL Admin Override section, click Add.
  3. In the Location field, select the virtual system to which this password applies.
  4. Enter the Password and Confirm Password. (This doesn't matter for credential filtering action set to continue but we have to provide it anyway)
  5. Select an SSL/TLS Service Profile. The profile specifies the certificate that the firewall presents to the user if the site with the continue action is an HTTPS site.
  6. Select the Mode for prompting the user for the password:
    • (do not use) Transparent (this mode is not valid for credential submission continue action. The reason is because we cannot generate a certificate that is valid for all public internet sites) —The firewall intercepts the browser traffic destined for site in a URL category you have set to override and impersonates the original destination URL, issuing an HTTP 401 to prompt for the password. Note that the client browser will display certificate errors if it does not trust the certificate.
    • (use this one) Redirect (We need to forcefully redirect our users to an ip address/hostname on the firewall to service out the response page because of step 1) —The firewall intercepts HTTP or HTTPS traffic to a URL category set to continue and redirects the request to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to prompt the user to click continue. If you select this option, you must provide the Address (IP address or DNS hostname) to which to redirect the traffic.
  7. Click OK.



This article was contributed by Steven Austin @staustin


About the Author:

Steven currently works as an information security engineer at Palantir Technologies in NYC with his main focus being network security.  He has over 10 years of experience in the information security field working in mixed vendor environments from the commercial to government sectors.

PCNSE 8.0, CCIE #42978 (RS, Sec), GIAC GXPN, OSCP



  • Print
  • Copy Link

Choose Language