Advanced URL Filtering
URL Categories
Table of Contents
URL Categories
Learn about the role of URL categories in URL filtering, and explore the complete list of
PAN-DB URL filtering categories.
Where can I use this? | What do I need? |
---|---|
|
This feature has no prerequisites.
|
Palo Alto Networks categorizes websites based on their content, features, and safety. Each URL
category corresponds to a set of characteristics that’s useful for creating policy
rules. URLs that users on your network access are added to Palo Alto Networks URL
filtering database, PAN-DB. PAN-DB assigns up to four URL categories, including risk
categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic and granular policy control of
sites. You can configure a URL Filtering profile to define
site access for URL categories and apply the profile to Security policy rules that allow
traffic to the internet. You can also use URL categories as match criteria in Security
policy rules to ensure those rules apply only to websites in the specified categories.
For example, you might configure a decryption policy rule that prevents decryption of
traffic to the financial-services category.
To check the categories of a specific URL, enter the URL into Test A Site, our URL lookup engine. If
you believe a URL is incorrectly categorized, submit a category change request.
Custom URL Categories
You can create a custom URL category to
exclude particular websites from category-based enforcement. Custom URL categories
can be based on specific URLs (URL List) or other categories (Category Match).
Custom URL categories of URL List type function as block and allow lists. Custom URL
categories of Category Match type enable targeted enforcement for websites that
match all categories defined as part of the custom category.
Predefined URL Categories
The following table lists predefined URL categories that PAN-DB uses to filter URLs.
Some entries describe sites that are excluded from the category. Security-Focused URL Categories describes
risk categories, which are not assigned to all URLs.
URL Category
|
Description
|
---|---|
Abortion
|
Sites that pertain to information or groups in favor of
or against abortion, details regarding abortion procedures, help
or support forums for or against abortion, or sites that provide
information regarding the consequences or effects of pursuing
(or not) an abortion.
|
Abused Drugs
|
Sites that promote the abuse of both legal and illegal drugs, the
use and sale of drug-related paraphernalia, or the manufacturing
or selling of drugs.
|
Adult
|
Sites with any sexually explicit material, media (including
language, games, or comics), art, or products, online groups or
forums that are sexually explicit in nature, and sites that
promote adult services, such as video or telephone conferencing,
escort services, and strip clubs.
|
Alcohol and Tobacco
|
Sites that pertain to the sale, manufacturing, or use of alcohol
or tobacco products, and related paraphernalia. Includes sites
related to electronic cigarettes.
|
Artificial Intelligence | Websites that use machine learning and deep learning models, including large language models, to provide services that would have typically required human intelligence. The services provided include but are not limited to chatbot, productivity, summarizer, transcriber, no-code, and audio or video editing-related services. Emphasis is given to websites hosting the actual AI service, not informational AI content. |
Auctions
|
Sites that promote the sale of goods between individuals.
Auctions with donation purposes are
categorized as Society. |
Business and Economy
|
Sites with content related to marketing, management, economics,
entrepreneurship, or running a business, including the
following:
|
Command and Control
|
Command-and-control (C2) URLs and domains used by malware or
compromised systems to surreptitiously communicate with an
attacker's remote server to receive malicious commands or
exfiltrate data.
|
Computer and Internet Info
|
Sites that provide general information about computers and the
internet, including sites about the following topics:
Programming may have some overlap with
the Reference and Research category, but the primary category
should be Computer and Internet Info. |
Content Delivery Networks
|
Sites whose primary focus is delivering content, such as
advertisements, media, files, and image servers, to third
parties.
|
Copyright Infringement
|
Domains with illegal content, such as content that allows the
illegal download of software or other intellectual property,
which poses a potential liability risk.
Sites that provide peer-to-peer file
exchange services or general streaming media belong to their own
respective categories. |
Cryptocurrency
|
Sites that promote cryptocurrencies, cryptomining (but not
embedded crypto miners) sites, cryptocurrency exchanges and
vendors, and sites that manage cryptocurrency wallets and
ledgers.
Sites referencing cryptocurrency or
malicious sites related to cryptocurrency will be categorized
separately. For example, sites that explain how cryptocurrencies
and blockchain technology work fall under Computer and Internet
Info. |
Dating
|
Sites offering online dating services, advice, or other personal
ads.
Dating sites that offer sexual chat
rooms fall under the Adult category. |
Dynamic DNS
|
Sites that provide or utilize dynamic DNS services to associate
domain names with dynamic IP addresses.
Dynamic DNS is often used by attackers
for command-and-control communication and other malicious
purposes. |
Educational Institutions
|
Official sites for schools, colleges, universities, school
districts, online classes, and other academic institutions. Also
includes sites for tutoring academies.
This category refers to larger,
established educational institutions, such as elementary
schools, high schools, and universities. |
Encrypted DNS
|
Sites for DNS resolver service providers, which offer security
and privacy for end users by encrypting DNS requests and
responses using protocols like DNS over HTTPS (DoH).
|
Entertainment and Arts
|
Sites for movies, television, radio, videos, programming guides
or tools, comics, performing arts, museums, art galleries, or
libraries. Includes sites for the following:
|
Extremism
|
Sites promoting terrorism, racism, fascism, or other views that
discriminate against people or groups of different ethnic
backgrounds, religions, and other beliefs. In some regions, laws
and regulations may prohibit allowing access to extremist sites,
and allowing access may pose a liability risk.
Websites that discuss controversial
political or religious views fall under the Philosophy and
Political Advocacy and Religion categories, respectively. |
Financial Services
|
Sites pertaining to personal finances or advice, such as online
banking, loans, mortgages, debt management, credit card
companies, foreign currency exchanges (FOREX), and insurance
companies. Excludes sites related to health insurance, stock
markets, brokerages, or trading services.
|
Gambling
|
Sites that facilitate the exchange of real or virtual money
through lotteries or gambling. Includes related sites that
provide information, tutorials, or advice on gambling, such as
how to bet odds and pools.
Corporate websites for hotels and
casinos that don't enable gambling fall under the Travel category. |
Games
|
Sites that provide online play or downloads of video or computer
games, game reviews, tips, cheats, or related publications and
media. Includes sites that provide instructions for
nonelectronic games, facilitate the sale or trade of board
games, or support or host online sweepstakes and giveaways.
|
Government
|
Official websites for local, state, and national governments, as
well as related agencies, services, or laws.
Sites for public libraries and military
institutions fall under the Reference and Research and Military
categories, respectively. |
Grayware
|
Sites with content that don't pose a direct security threat but
that display other intrusive behavior and tempt end users to
grant remote access or perform other unauthorized actions.
Grayware includes the following:
|
Hacking
|
Sites related to the illegal or questionable access to or use of
communications equipment or software, including the development
and distribution of such programs, how-to-advice, or tips that
may result in the compromise of networks and systems. Includes
sites that facilitate the bypass of licensing and digital rights
systems.
|
Health and Medicine
|
Sites containing information regarding general health, issues,
and traditional and nontraditional tips, remedies, and
treatments. Includes sites for various medical specialties,
practices, facilities (such as gyms and fitness clubs), and
professionals. Sites related to medical insurance and cosmetic
surgery are also included.
|
Home and Garden
|
Sites with information, products, and services related to home
repair and maintenance, architecture, design, construction,
decor, and gardening.
|
Hunting and Fishing
|
Sites that provide hunting and fishing tips or instructions or
facilitate the sale of related equipment and paraphernalia.
Sites that primarily sell firearms (even
if they are used for hunting) fall under the Weapons
category. |
Insufficient Content
|
Sites and services that present test pages, have no content,
provide API access not intended for end-user display, or require
authentication without displaying any other content suggesting a
different categorization.
|
Internet Communications and Telephony
|
Sites that support or provide services for video chatting,
instant messaging, or other telephony capabilities.
|
Internet Portals
|
Sites that serve as a starting point for users, usually by
aggregating a broad set of content and topics.
|
Job Search
|
Sites that provide job listings, employer reviews, interview
advice and tips, or related services for both employers and
prospective candidates.
|
Legal
|
Sites that provide information, analysis, or advice regarding the
law, legal services, legal firms, or other legal-related
issues.
|
Malware
|
Sites containing or known to host malicious content, executables,
scripts, viruses, trojans, and code.
|
Marijuana
| Sites that discuss, encourage, promote, offer, sell, supply or otherwise advocate the use, cultivation, manufacture or distribution of marijuana and its myriad aliases, whether for recreational or medicinal purposes. Includes sites with content regarding marijuana-related paraphernalia. |
Military
|
Sites with information or commentary on military branches,
recruitment, current or past operations, or any related
paraphernalia. Includes sites for military and veteran
associations.
|
Motor Vehicles
|
Sites with information relating to reviews, sales, trading,
modification, parts, and other related discussions of
automobiles, motorcycles, boats, trucks, and recreational
vehicles (RVs).
|
Music
|
Sites related to music sales, distribution, or information.
Includes websites for music artists, groups, labels, events,
lyrics, and other information regarding the music business.
Excludes music streaming sites.
|
Newly Registered Domains
|
Sites that have been registered within the last 32 days. Newly
registered domains are often generated purposely or by domain
generation algorithms and can be used for malicious
activity.
|
News
|
Online publications, newswire services, and other websites that
aggregate current events, weather, or other contemporary issues.
Includes the following:
If the magazine or news website focuses
on a specific topic like sports, travel, fashion, it gets
categorized based on the dominant content on the site. |
Not-Resolved
|
This category indicates that the website wasn't found in the
local URL filtering database and the firewall was unable to
connect to the cloud database to check the category.
|
Nudity
|
Sites that contain nude or seminude depictions of the human body,
regardless of context or intent, such as artwork. Includes
nudist or naturist sites containing images of participants.
|
Online Storage and Backup
|
Sites that provide online storage of files for free or as a
service. Includes photo-sharing sites.
|
Parked
|
URLs that host limited content or click-through ads, which may
generate revenue for the host entity but generally don't contain
content that is useful to end users. Includes domains that are
for sale.
Parked sites with adult content fall
under the Adult category. |
Peer-to-peer
|
Sites that provide access to or clients for peer-to-peer sharing
of torrents, download programs, media files, or other software
applications. Primarily applicable to those sites with
BitTorrent download capabilities. Excludes shareware or freeware
sites.
|
Personal Sites and Blogs
|
Personal websites and blogs by individuals or groups. If such
sites have a dominant topic associated with another category,
they will be categorized with both categories.
|
Philosophy and Political Advocacy
|
Sites containing information, viewpoints, or campaigns regarding
philosophical or political views.
|
Phishing
|
Web content that covertly attempts to harvest information, such
as login credentials, credit card information, account numbers,
PINs, and other personally identifiable information (PII),
voluntarily or involuntarily, from victims using social
engineering techniques. Includes technical support scams and
scareware.
|
Private IP Addresses
|
This category includes IP addresses defined in RFC 1918, 'Address
Allocation for Private Intranets,' which are as follows:
Includes domains not registered with the public DNS system (such
as *.local and *.onion).
|
Proxy Avoidance and Anonymizers
|
Proxy servers and other methods that bypass URL filtering or
monitoring.
VPNs with corporate-level usage fall
under the Internet Communication and Telephony category. |
Questionable
|
Sites containing tasteless humor or offensive content targeting
specific demographics of individuals or groups of people.
|
Ransomware
| Sites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid. Includes URLs that deliver related stealers, wipers, and loaders that may carry ransomware payloads. |
Real Estate
|
Sites that provide information on property rentals, sales, and
related tips or information, including sites for the
following:
Sites for mortgage and loan servicers
fall under the Financial Services category. |
Real-Time Detection (Advanced URL Filtering only)
|
URLs that have been analyzed and detected by real-time inline
analysis as part of Advanced URL Filtering.
|
Recreation and Hobbies
|
Sites that consist of information, forums, associations, groups,
or publications related to recreational activities and
hobbies.
Sites that sell products related to
recreational activities or hobbies, such as REI.com, fall under
the Shopping category. |
Reference and Research
|
Sites that provide personal, professional, or academic reference
portals, materials, or services, including online dictionaries,
maps, almanacs, census information, libraries, genealogy, and
scientific information. Includes sites for or related to the
following:
|
Religion
|
Sites with information regarding various religions, related
activities, or events. Includes sites for religious
organizations, religious officials, places of worship,
fortune-telling, astrology, horoscopes, and religious
paraphernalia.
Sites for private primary or
secondary schools affiliated with a religious organization,
such as Catholic schools, with a curriculum that teaches
general religious education and secular subjects fall under
the Educational Institutions category. |
Remote Access | Sites that provide tools or information to facilitate authorized remote access to private computers and attached networks. |
Scanning Activity (Advanced URL Filtering only) | Campaigns that are conducted by adversaries that can be indicators of compromise, or attempts at conducting targeted attacks or probing for existing vulnerabilities. These are usually part of reconnaissance activity conducted by adversaries. |
Search Engines
|
Sites that provide a search interface using keywords, phrases, or
other parameters that may return information, websites, images,
or other files as results.
|
Sex Education
|
Sites that provide information on reproduction, sexual
development, safe sex practices, sexually transmitted diseases,
birth control, tips for better sex, and any related products or
paraphernalia. Includes sites for related groups, forums, or
organizations.
|
Shareware and Freeware
|
Sites that provide access to software, screensavers, icons,
wallpapers, utilities, ringtones, themes, or widgets for free or
donations. Includes open-source projects.
|
Shopping
|
Sites that facilitate the purchase of goods and services.
Includes online merchants, sites for department stores, retail
stores, catalogs, and price aggregation or monitoring tools.
Sites in this category should be online merchants that sell a
variety of items (or whose main purpose is online sales).
A website for a cosmetics company that
happens to allow online purchasing falls under the Cosmetics
category. |
Social Networking
|
User communities or sites where users interact with each other,
post messages, pictures, and otherwise communicate with groups
of people.
Personal sites, blogs, or forums fall under the Personal
Sites and Blogs category. |
Society
|
Sites with content related to the general population or issues
that impact a large variety of people, such as fashion, beauty,
philanthropic groups, societies, or children. Includes
restaurant websites.
Corporate websites related to food,
such as Burger King, fall under the Business and Economy
category. |
Sports
|
Sites with information about sporting events, athletes, coaches,
officials, teams or organizations, scores, schedules, related
news, or sports paraphernalia. Includes websites for fantasy
sports and virtual sports leagues.
Sites with the main purpose of selling
sports goods fall under the Shopping category. |
Stock Advice and Tools
|
Sites with information about the stock market, trading of stocks
or options, portfolio management, investment strategies, quotes,
or related news.
|
Streaming Media
|
Sites that stream audio or video content for free or purchase,
including online radio stations, streaming music services, and
the archiving of podcasts.
|
Swimsuits and Intimate Apparel
|
Sites that include information or images concerning swimsuits,
intimate apparel, or other suggestive clothing.
|
Training and Tools
|
Sites that provide online education, training, and related
materials. Includes driving or traffic schools, workplace
training, games, applications, tools with educational purposes,
and tutoring academies.
Specific skills classes are categorized
based on their subject. For example, websites for music classes
fall under the Music category. |
Translation
|
Sites that provide translation services, including both user
input and URL translations. These sites can also allow users to
circumvent filtering as the target page's content is presented
within the context of the translator's URL.
|
Travel
|
Sites that provide information about travel, such as tips, deals,
pricing, destination information, tourism, and related services,
such as booking or price monitoring tools. Includes websites for
the following:
|
Unknown
|
Sites that have not yet been identified by Palo Alto
Networks.
If availability of this site
is critical to your business and you must allow the traffic,
alert on unknown sites, apply the best practice Security
profiles to the traffic, and investigate the alerts. PAN-DB Real-Time Updates learn unknown sites after a first
attempt to access these sites, so unknown URLs are
identified quickly and become known URLs that the firewall
can then handle based on the actual URL category. |
Weapons
|
Sites that handle sales or offer reviews, descriptions of, or
instructions regarding weapons, armor, bulletproof vests, and
their use.
Sites related to clay
shooting, shooting ranges, and archery receive the primary
category of Weapons and a secondary category of Sports. |
Web Advertisements
|
Sites with advertisements, media, content, and banners. Includes
pages for subscribing and unsubscribing from newsletters or
ads.
|
Web-based Email
|
Any website that provides access to an email inbox and the
ability to send and receive emails. Emphasis is given to
websites that offer free or paid public access to such
services.
|
Web Hosting
|
Sites that offer free or paid hosting services for webpages.
Includes sites with information about web development,
publication, promotion, and other methods of increasing
traffic.
|
Security-Focused URL Categories
PAN-DB automatically evaluates and assigns a risk category
(high-risk,
medium-risk, and
low-risk) to URLs that it either has not
classified as malicious or no longer classifies as malicious because they
have displayed only benign activity for at least 30 days. Each risk category has
specific criteria that must be met for a URL to receive a given category. As site
content changes, the risk category and policy enforcement dynamically adapt.
If PAN-DB determines that a URL belongs to a malicious URL category, it does not assign the site a
risk category. Instead, the firewall automatically blocks the site because it
poses an unacceptable risk for most environments.
Private IP addresses (and hosts) are unique to the host environment and are
invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk
rating to sites in this category.
Security-focused URL categories facilitate targeted decryption and policy
enforcement, helping reduce your attack surface. For example, you can block users
from accessing high- and medium-risk websites and newly registered domains or
decrypt traffic to these categories if you choose to allow them.
The following table lists descriptions and default and recommended policy actions for
each risk category.
You cannot submit a change request for security-focused URL categories.
URL Category | Description |
---|---|
High Risk |
Default and Recommended Policy Action: Alert
|
Medium Risk |
Default and Recommended Policy Action: Alert
|
Low Risk |
Sites that are not medium or high risk. These sites have
displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
|
Newly Registered Domains |
Identifies sites that have been registered within the last 32
days. New domains are frequently used as tools in malicious
campaigns.
Newly registered domains are often generated purposefully or
by domain generation algorithms and used for malicious
activity. It’s a best practice to block this URL
category. Default Policy Action: Alert
Recommended Policy Action: Block
|
Malicious URL Categories
We strongly recommend that you block the following URL categories, which identify malicious or
exploitative content and behavior.
- command-and-control
- copyright-infringement
- dynamic-dns
- extremism
- grayware
- malware
- newly-registered-domain
- parked
- phishing
- proxy-avoidance-and-anonymizers
- questionable
- ransomware
- scanning-activity
- unknown
For categories that you alert on, instead of block, you can strictly control how users interact
with site content. For example, give users access to the resources they need (like
developer blogs for research purposes or cloud storage services), but take the
following precautions to reduce exposure to web-based threats:
- Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and obfuscated JavaScript for sites that you're alerting on.
- Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
- Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
The following table lists categories that PAN-DB considers malicious and
blocks by default, except for Private IP Addresses.
Private IP addresses (and hosts) are unique to the host environment and are
invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating
to sites in this category.
Category | Default Action |
---|---|
Command and Control |
Block
|
Grayware | |
Malware | |
Phishing | |
Ransomware | |
Scanning Activity | |
Private IP Addresses | Allowed (no default action) |