URL Category Exceptions

Advanced URL Filtering

URL Category Exceptions

Table of Contents
End-of-Life (EoL)

URL Category Exceptions

Guidelines for adding entries to a custom URL list or external dynamic list for use in a URL Filtering profile or policy.
Where can I use this?
What do I need?
  • Prisma Access
  • PAN-OS
  • Advanced URL Filtering license (or a legacy URL filtering license)
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access licenses usually include Advanced URL Filtering capabilities.
You can exclude specific websites from URL category enforcement, ensuring that these websites are blocked or allowed regardless of the policy action associated with its URL categories. For example, you might block the social-networking URL category but allow access to LinkedIn. To create exceptions to URL category policy enforcement:
  • Add the IP addresses or URLs of sites you want to block or allow to a custom URL category of
    URL List
    type. Then, define site access for the category in a URL Filtering profile. Finally, attach the profile to a Security policy rule.
    You can also use a custom URL category as match criteria in a Security policy rule. Be sure to place the exception rule above any rules that block or allow the categories to which the URL exceptions belong.
  • Add the URLs of sites you want to block or allow to an external dynamic list of
    URL List
    type. Then, use the external dynamic list in a URL Filtering profile or as match criteria in a Security policy rule. The benefit to using an external dynamic list is that you can update the list without performing a configuration change or commit on the firewall.
External dynamic lists of
URL List
type should not be confused with external dynamic lists of Domain List or IP Address List type. While external dynamic lists of URLs permit domains and IP addresses, the reverse is not true and result in invalid entries.

Recommended For You