Best practices for configuring URL filtering to protect
against web-based threats and monitor and control the web activity
of your users.
Where can I use
What do I need?
Advanced URL Filtering license (or a legacy URL filtering
Legacy URL filtering licenses are discontinued, but
active legacy licenses are still supported.
Prisma Access licenses usually include Advanced URL
Palo Alto Networks URL filtering solution protects
you from web-based threats, and gives you a simple way to monitor
and control web activity. To get the most out of your URL filtering
deployment, you should start by creating allow rules for the applications
you rely on to do business. Then, review the URL categories that
classify malicious and exploitive content—we recommend that you block
these outright. Then, for everything else, these best practices
can guide you how to reduce your exposure to web-based threats,
without limiting your users’ access to web content that they need.
applications include not only the applications you provision and administer
for business and infrastructure purposes, but also the applications that
your users need to get their jobs done and applications you might
want to allow for personal use.
After you’ve identified these
sanctioned applications, you can use URL filtering to control and
secure all the web activity that is not on the allow list.
Get visibility in to your users web activity so you can plan
the most effective URL filtering policy for your organization. This
Using Test A Site to see how
PAN-DB—the Palo Alto Networks URL filtering cloud database—categorizes
a specific URL, and to learn about all possible URL categories.
Starting with a (mostly) passive URL Filtering profile that
alerts on URL categories. This gives you visibility into the sites
your users are accessing, so you can decide what you want to allow,
limit, and block.
Monitoring web activity to assess the sites your users are accessing
and see how they align with your business needs.
Use URL categories to phase-in decryption, and to exclude
sensitive or personal information (like financial-services and health-and-medicine) from
Plan to decrypt the riskiest traffic first (URL
categories most likely to harbor malicious traffic, such as gaming
or high-risk) and then decrypt more as you gain experience. Alternatively,
decrypt the URL categories that don’t affect your business first
(if something goes wrong, it won’t affect business), for example,
news feeds. In both cases, decrypt a few URL categories, listen to
user feedback, run reports to ensure that decryption is working
as expected, and then gradually decrypt a few more URL categories,
and so on. Plan to make to exclude sites from decryption if you
can’t decrypt them for technical reasons or because you choose not
to decrypt them.
theft by enabling the firewall to detect corporate credential
submissions to sites, and then control those submissions based on
URL category. Block users from submitting credentials to malicious
and untrusted sites, warn users against entering corporate credentials
on unknown sites or reusing corporate credentials on non-corporate
sites, and explicitly allow users to submit credentials to corporate
and sanctioned sites.
Configure inline categorization to
enable inline deep learning, ML-based detection engines to analyze
suspicious web page content and protect users against zero-day web
attacks. Cloud inline categorization is capable of detecting and
preventing advanced and targeted phishing attacks, and other web-based
attacks that use advanced evasion techniques such as cloaking, multi-step
attacks, CAPTCHA challenges, and previously unseen one-time-use
The web content that you sanction and the
malicious URL categories that you block outright are just one portion
of your overall web traffic. The rest of the content your users
are accessing is a combination of benign (low-risk) and risky content
(high-risk and medium-risk). High-risk and medium-risk content is
not confirmed malicious but is closely associated with malicious
sites. For example, a high-risk URL might be on the same domain
as a malicious site or may have hosted malicious content in the
However, many sites that pose a risk to your organization
also provide valuable resources and services to your users (cloud
storage services are a good example). While these resources and
services are necessary for business, they are also more likely to
be used as part of a cyberattack. Here’s how to control how users
interact with this potentially-dangerous content, while still providing
them a good user experience:
In a URL Filtering profile,
set the high-risk and medium-risk categories to
to display a response
page that warns users they’re visiting a potentially-dangerous
site. Advise them how to take precautions if they decide to continue
to the site. If you don’t want to prompt users with a response page,
alert on the high-risk and medium-risk categories instead.
Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices for high-risk
and medium-risk sites. A protective measure would be to block downloads
theft by blocking users from submitting their corporate credentials
to high-risk and medium-risk sites.
Schools or educational institutions should use safe search enforcement to
make sure that search engines filter out adult images and videos
from search results.
Hold initial web requests during URL category lookup.
a user visits a website, Advanced URL Filterings checks cached URL
categories to categorize the site. If it doesn’t find the URL’s
category in the cache, it performs a lookup in PAN-DB, the Palo
Alto Networks URL database. By default, the user’s web request is
allowed during this cloud lookup.
But when you choose to hold
web requests, you can instead block the request until Advanced URL
Filtering either finds the URL category or times out. If the lookup
times out, the firewall considers the URL category not-resolved.
Find this feature in your URL Filtering settings,