>
    Create a Custom URL Category
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. Configure URL Filtering
    4. URL Category Exceptions
    5. Create a Custom URL Category
    Download PDF
    Advanced URL Filtering

    Create a Custom URL Category

    Table of Contents

    Create a Custom URL Category

    Create a custom URL category that functions as either a URL category exception list or a distinct category based on multiple PAN-DB categories.
    Where can I use this?What do I need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)\
    This feature has no prerequisites.
    You can create a custom URL category to define exceptions to URL category enforcement or define a new URL category from multiple categories.
    Define Exceptions to URL Category Enforcement (URL List)
    Specify a list of URLs (grouped under a single custom category) that you wish to enforce independently of their predefined URL categories. You can control access to this category in a URL Filtering profile that you apply to Security policy rules or use the category as match criteria in Security policy rules. For example, you can block the social-networking category but allow access to LinkedIn.
    Define a Custom URL Category Based on Multiple PAN-DB Categories (Category Match)
    Create a new category to target enforcement for websites or pages that match all of the categories defined as part of the custom category. For example, PAN-DB might classify a developer blog that your engineers use for research as personal-sites-and-blogs, computer-and-internet-info, and high-risk. To allow the engineers to access the blog and similar websites and gain visibility into these websites, you can create a custom URL category based on the three categories and set site access for the category to alert in a URL Filtering profile.
    PAN-DB evaluates URLs against custom URL categories before external dynamic lists and predefined URL categories. Accordingly, the firewall enforces the Security policy rules for a URL in a custom URL list over the policy rules associated with the individual URL categories it exists in.
    If multiple Security policy rules include a custom URL category, then the firewall enforces the Security policy rule with the strictest URL Filtering profile action for the matching traffic.

    Create a Custom URL Category (Strata Cloud Manager)

    If you’re using Panorama to manage Prisma Access:
    Toggle over to the PAN-OS & Panorama tab and follow the guidance there.
    If you’re using Strata Cloud Manager, continue here.
    1. Select ManageConfigurationSecurity ServicesURL Access ManagementAccess Control.
    2. Under Custom URL Categories, select Add Category.
      Enter a descriptive Name for the category.
    3. Set the custom URL category Type to either URL List or Category Match.
      • URL List—Use this list type to add URLs that you want to enforce differently than the URL category to which they belong or to define a list of URLs as belonging to a custom category. Consult the Guidelines for URL Category Exceptions as you create URL list entries.
      • Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
    4. Under Items, Add either URLs or existing categories.
    5. Save the custom URL category.
    6. Define Site Access and User Credential Submissions settings for the custom URL category.
      1. Select ManageConfigurationSecurity ServicesURL Access ManagementURL Access Management Profiles.
      2. Select an existing profile to modify or click Add Profile.
      3. Under Access Control, select the custom URL category you created earlier. It sits under Custom URL Categories and above Pre-Defined Categories.
      4. Set Site Access for the category.
      5. Set User Credential Submissions for the category.
      6. Save the profile.
    7. Apply the URL Access Management profile to a Security policy rule.
      A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.
      Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure to Push Config.
      You can also use custom URL categories as Security policy rule match criterion. In this scenario, you do not define site access for the URL category in a URL Filtering profile. Instead, after creating a custom URL category, select the Security policy rule you want to add the custom URL category to (ManageConfiguration Security ServicesSecurity Policy). Under Applications, Services and URLs and URL Category Entities, click Add URL Categories. Select the custom URL category you created, and then Save the Security policy rule.

    Create a Custom URL Category (PAN-OS & Panorama)

    1. Select ObjectsCustom ObjectsURL Category.
    2. Add or modify a custom URL category, and give the category a descriptive Name.
    3. Set the category Type to either Category Match or URL List:
      • URL List—Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions to URL category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.
        By default, the firewall automatically appends a trailing slash (/) to domain entries ( example.com) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example, example.com ( example.com/ after processing) matches itself and example.com/search.
        In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry *.example.com, a URL must strictly begin with one or more subdomains and end with the root domain, example.com; news.example.com is a match, but example.com is not because it lacks a subdomain.
        We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions discusses the trailing slash and matching behavior in further detail.
        To disable this feature, go to DeviceSetupContent-IDURL Filtering. Then, deselect Append Ending Token. If you disable this feature, you may block or allow access to more URLs than intended. URL Category Exceptions (PAN-OS 10.1 and earlier) describes the firewall’s behavior when this feature is disabled.
      • Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
    4. Click OK to save the custom URL category.
    5. Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
      Your new custom category displays under Custom URL Categories:
    6. Decide how you want to enforce Site Access and User Credential Submissions for the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
    7. Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.
      Select PoliciesSecurityActions and specify the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure to Commit your changes.
      You can also use custom URL categories as Security policy rule match criteria. In this case, you do not define site access for the URL category in a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (PoliciesSecurity). Then, select Service/URL Category to use the custom URL category as match criteria for the rule.

    © 2025 Palo Alto Networks, Inc. All rights reserved.