>
    Strata Copilot
    Create a Custom URL Category
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. Configure URL Filtering
    4. URL Category Exceptions
    5. Create a Custom URL Category
    Download PDF
    Advanced URL Filtering

    Create a Custom URL Category

    Table of Contents

    Create a Custom URL Category

    Create custom URL categories for URL overrides or to target sites matching multiple PAN-DB categories.
    Where can I use this?What do I need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    This feature has no prerequisites.
    You can create a custom URL category to define exceptions to current URL category enforcement or target sites that match multiple URL categories.
    • Define Exceptions to URL Category Enforcement (URL List)
      Specify one or more URLs to enforce independently of their predefined URL categories. For example, you can block the social-networking category but allow access to LinkedIn. To enforce the exception, you can configure Site Access for the custom category in a URL Filtering profile and apply the profile to Security policy rules; or use the custom category directly as match criteria in Security policy rules.
    • Define a Custom URL Category Based on Multiple PAN-DB Categories (Category Match)
      Specify two or more categories to target websites or pages matching all specified categories. For example, suppose PAN-DB classifies a developer blog that your engineers use for research as personal-sites-and-blogs, computer-and-internet-info, and high-risk. To allow access and monitor matching traffic, create a custom URL category based on the three categories and set Site Access to alert in a URL Filtering profile.
      You can also use Category Match to block sensitive content, such as that categorized as both adult and questionable, while allowing either individual category.
      To create an effective Category Match, first identify how PAN-DB categorizes your target sites or content. Review your URL Filtering logs if you're targeting sites with either the alert or block action, or you can use Test A Site. In Strata Cloud Manager, you can use the Check URL Category feature while configuring a URL Access Management profile.
    PAN-DB evaluates URLs against custom URL categories before external dynamic lists and predefined URL categories. Accordingly, the firewall enforces the Security policy rules for a URL in a custom URL list over the policy rules associated with the individual URL categories it exists in.
    If multiple Security policy rules include the same custom URL category, then the firewall enforces the Security policy rule with the strictest URL Filtering profile action for the matching traffic.

    Create a Custom URL Category (Strata Cloud Manager)

    If you’re using Panorama to manage Prisma Access:
    Toggle over to the PAN-OS & Panorama tab and follow the guidance there.
    If you’re using Strata Cloud Manager, continue here.
    1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management.
    2. Under Custom URL Categories, click Add Category.
      Enter a descriptive Name for the category.
    3. For Type, select either Category Match or URL List:
      • Category Match—Select two or more existing URL categories to create a distinct policy target.
      • URL List—Enter specific URLs to override category-based policy enforcement. Ensure entries follow the Guidelines for URL Category Exceptions.
    4. Add (+) Items for the selected Type.
    5. Save the custom URL category.
    6. Configure Access Control settings for the custom URL category.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management.
      2. Select a URL Access Management Profile to modify, or click Add Profile.
      3. Under Access Control, select the custom URL category you created, and then set Site Access.
      4. (Optional) Set User Credential Submission.
      5. Save the profile.
    7. Apply the URL Access Management profile to a Security policy rule.
      A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.
      Follow the steps to activate a URL Access Management profile (and any Security profile).
    8. Commit your configuration.
      Select Push ConfigPush.

    Block Sensitive Content through Category Match

    This task demonstrates how to use a custom URL category of Category Match type to block child sexual abuse material (CSAM), also referred to as child pornography.
    PAN-DB ingests a dynamically updated list of URLs that host CSAM from the Internet Watch Foundation (IWF). PAN-DB classifies these URLs as both adult and questionable. The best-practice URL Access Management profile blocks both categories. We recommend blocking both categories in all URL Access Management profiles; however, blocking either category is sufficient to block CSAM.
    To allow access to adult or questionable URLs while blocking CSAM, you can use a custom URL category of Category Match type. You can adapt the following configuration for any content that spans multiple categories. The key is to identify the category combinations that classify your target content.
    1. Create a custom URL category.
      1. Enter a descriptive Name, such as Block-CSAM.
      2. For Type, select Category Match.
      3. Add (+) entries for adult and questionable.
      4. Click Save.
    2. Configure Site Access for the custom category and its individual categories in your URL Access Management profiles.
      Apply these changes to all URL Access Management profiles attached to Security policy rules that allow internet access.
      1. For Block-CSAM, set Site Access to Block.
      2. For adult or questionable, set Site Access to either Alert or Allow.
        Alert is stricter than Allow because it generates URL filtering logs.
      3. Click Save.
    3. Select Push ConfigPush.
    4. Test the custom category and its exceptions.

    Create a Custom URL Category (PAN-OS & Panorama)

    1. Select ObjectsCustom ObjectsURL Category.
    2. Add or modify a custom URL category, and give the category a descriptive Name.
    3. For Type, select either Category Match or URL List:
      • Category MatchAdd two or more categories to target sites that match all specified categories.
      • URL ListAdd sites to enforce differently than their assigned URL categories. Ensure entries follow the Guidelines for URL Category Exceptions.
        By default, the firewall automatically appends a trailing slash (/) to domain entries ( example.com) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example, example.com ( example.com/ after processing) matches itself and example.com/search.
        In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry *.example.com, a URL must strictly begin with one or more subdomains and end with the root domain, example.com; news.example.com is a match, but example.com is not because it lacks a subdomain.
        We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. Guidelines for URL Category Exceptions discusses the trailing slash and matching behavior in further detail.
        To disable this feature, go to DeviceSetupContent-IDURL Filtering. Then, deselect Append Ending Token. If you disable this feature, you may block or allow access to more URLs than intended.
    4. To save the custom URL category, click OK.
    5. Select ObjectsSecurity ProfilesURL Filtering, and then Add or modify a URL Filtering profile.
      You can also use custom URL categories as match criteria in a Security policy rule.
      Your new custom category displays under Custom URL Categories.
    6. Configure the Site Access and User Credential Submissions settings for the custom URL category. (To restrict corporate credential submissions on specific sites, see Prevent Credential Phishing.)
    7. Attach the URL Filtering profile to Security policy rules that allow internet access.
      The settings in the URL Filtering profile apply to traffic matching the Security policy rule.
      1. Select PoliciesSecurity, and then select a rule to modify.
      2. In the Actions tab, select Profiles for Profile Type.
      3. For URL Filtering, select the profile you configured earlier.
      4. To save the rule, click OK.
    8. Commit your changes.

    Block Sensitive Content through Category Match

    This task demonstrates how to use a custom URL category of Category Match type to block child sexual abuse material (CSAM), also referred to as child pornography.
    PAN-DB ingests a dynamically updated list of URLs that host CSAM from the Internet Watch Foundation (IWF). PAN-DB classifies these URLs as both adult and questionable. The default URL Filtering profile blocks both categories. We recommend blocking both categories in all URL Filtering profiles; however, blocking either category is sufficient to block CSAM.
    To allow access to adult or questionable URLs while blocking CSAM, you can use a custom URL category of Category Match type. You can adapt the following configuration for any content that spans multiple categories. The key is to identify the category combinations that classify your target content.
    1. Create a custom URL category.
      1. Enter a descriptive Name, such as Block-CSAM.
      2. For Type, select Category Match.
      3. For Categories, click Add, and then select adult and questionable.
      4. Click OK.
    2. Update Site Access for the custom category and its individual categories in your URL Filtering profiles.
      Apply these changes to all URL Filtering profiles attached to Security policy rules that allow internet access.
      1. For Block-CSAM, set Site Access to block.
      2. For adult or questionable, set Site Access to either alert or allow.
        The alert action is stricter; it generates URL filtering logs.
      3. Click OK.
    3. Commit your changes.
    4. Test the custom category and its exceptions.

    © 2026 Palo Alto Networks, Inc. All rights reserved.