Introduction- Web Category or Web URL filtering is the ability to classify and enforce policies on web based traffic i.e all browser based URLs http, https traffic accessed by users on the network. This feature is introduced in Instant 4.1 and is supported on all the IAPs. When a client request any Web traffic, IAP does a lookup in BrightCloud and get the Web Category and Web Reputation information about the sessions. Once the sessions are classified based on the firewall policy IAP allows or denies the session.
Feature Notes-
- Wireless Clients can now be restricted from accessing illegal or non authorized websites with out denying http or https traffic.
- Selected Web categories can be chosen to protect end users from security and legal ramifications from visiting various web sites.
Environment- This article applies to Instant AP deployment running 4.1 and above.
Network Topology- 
Configuration Steps- Create a new SSID of your choice.
Select VLAN type as required.
Security can be configured as per requirement.
Select Network based option and choose Web Category as shown below.
From the list of different web categories choose the classification as required.
Once configured, add any deny at the bottom to deny every other request.
Verification- To verify SSID config "show running-config"
To verify access rules "show access-rule <rule name>"
To verify client role after it gets connected "show clients"
To verify if acl is being hit "show datapath acl <acl number>"
When clients tries to access any unauthorized Web sites he would be notified on the browser that service to requested web page is denied.
Troubleshooting-
- Ensure port 80 is allowed on the firewall as IAP will lookup BrightCloud to classify Web traffic.
- Make sure client is in the right role using below command
- From datapath acl verify if acl is being hit as shown below.
