URL Categories

URL categories are key to URL filtering. Explore the URL categories that sites can be assigned, and learn how to use them in targeted web security policy.
Where can I use this?
What do I need?
  • Prisma Access
  • PAN-OS
  • Advanced URL Filtering license
    For Prisma Access, this is usually included with your Prisma Access license.
Palo Alto Networks categorizes websites based on site content, features, and safety. Each URL category corresponds to a set of characteristics that is useful for URL filtering policy creation. URLs that network users access are added to Palo Alto Networks URL filtering database, PAN-DB. PAN-DB assigns up to four URL categories, including risk categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic and granular policy control of sites. You can configure a URL Filtering profile to define site access for URL categories and apply the profile to Security policy rules that allow traffic to the internet. You can also use URL categories as match criteria in Security policy rules to ensure those rules apply only to websites in the specified categories. For example, you might configure a Decryption policy rule that prevents decryption of traffic to the financial-services category.
To check the categories of a specific URL, enter the URL into Test A Site, our URL lookup engine. If you believe a URL is incorrectly categorized, submit a URL category change request by clicking
Request Change
, which follows category information for the URL.

Custom URL Categories

You can create a custom URL category to exclude particular websites from category-based enforcement. Custom URL categories can be based on specific URLs (URL List) or other categories (Category Match). Custom URL categories of URL list type function as block and allow lists. Custom URL categories of Category Match type enable targeted enforcement for websites that match all categories defined as part of the custom category.

Predefined URL Categories

The following table list the predefined URL categories that PAN-DB assigns to URLs you access and which you can use in URL Filtering profiles and Security policy rules. For more information about risk categories, see Security-Focused URL Categories.
URL Category
Description
Risk Categories
High Risk
  • Sites previously confirmed to be malware, phishing, or C2 sites. These sites remain in this category for at least 30 days.
  • Sites that are associated with confirmed malicious activity or share a domain with a known malicious site.
  • Bulletproof ISP-hosted sites.
  • Domains classified as DDNS due to the presence of an active dynamic DNS configuration.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
  • Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
Medium Risk
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days. These sites remain in this category for an additional 60 days.
  • All cloud storage sites (with the URL category
    online-storage-and-backup
    ).
  • Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Low Risk
Any site that is not high risk or medium risk is considered low risk. This includes sites that were previously confirmed as malicious but have displayed benign activity for at least 90 days.
Threat Categories
Command and Control
Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
Malware
Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
Threat Adjacent Categories
Dynamic DNS
Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
Grayware
Web content that does not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware includes illegal activities, criminal activities, rogueware, adware, and other unwanted or unsolicited applications, such as embedded crypto miners, clickjacking, or hijackers that change the elements of the browser. Typosquatting domains that do not exhibit maliciousness and are not owned by the targeted domain will be categorized as grayware.
Hacking
Sites relating to the illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs, how-to-advice and/or tips that may result in the compromise of networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.
Phishing
Web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware is also included as phishing.
Suspicious
Insufficient Content
Websites and services that present test pages, no content, provide API access not intended for end-user display or require authentication without displaying any other content suggesting a different categorization. Should not include websites providing remote access, such as web-based VPN solutions, web-based email services, or identified credential phishing pages.
Newly Registered Domain
Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
Parked
Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personally identifiable information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
Proxy Avoidance and Anonymizers
URLs and services often used to bypass content filtering products.
Unknown
Sites that have not yet been identified by Palo Alto Networks. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
Legal/Policy
Abortion
Sites that pertain to information or groups in favor of or against abortion, details regarding abortion procedures, help or support forums for or against abortion, or sites that provide information regarding the consequences/effects of pursuing (or not) an abortion.
Abused Drugs
Sites that promote the abuse of both legal and illegal drugs, the use and sale of drug-related paraphernalia, or the manufacturing and/or selling of drugs.
Adult
Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort services, strip clubs, etc. Anything containing adult content (even if it's games or comics) will be categorized as Adult.
Alcohol and Tobacco
Sites that pertain to the sale, manufacturing, or use of alcohol and/or tobacco products and related paraphernalia. Includes sites related to electronic cigarettes.
Auctions
Sites that promote the sale of goods between individuals.
Business and Economy
Marketing, management, economics, and sites relating to entrepreneurship or running a business. Includes advertising and marketing firms. Should not include corporate websites as they should be categorized with their technology. Also shipping sites, such as fedex.com and ups.com.
Computer and Internet Info
General information regarding computers and the internet. Should include sites about computer science, engineering, hardware, software, security, programming, etc. Programming may have some overlap with Reference, but the main category should remain Computer and Internet Info.
Content Delivery Networks
Sites whose primary focus is delivering content to 3rd parties such as advertisements, media, files, etc. Also includes image servers.
Copyright Infringement
Domains with illegal content, such as content that allows the illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
Cryptocurrency
Websites that promote cryptocurrencies, crypto mining websites (but not embedded crypto miners), cryptocurrency exchanges and vendors, and websites that manage cryptocurrency wallets and ledgers. This category does not include traditional financial services websites that reference cryptocurrencies, websites that explain and describe how cryptocurrencies and blockchains work, or websites that contain embedded cryptocurrency miners (grayware).
Dating
Websites offering online dating services, advice, and other personal ads.
Educational Institutions
Official websites for schools, colleges, universities, school districts, online classes, and other academic institutions. These refer to larger, established educational institutions such as elementary schools, high schools, universities, etc. Tutoring academies can go here as well.
Entertainment and Arts
Sites for movies, television, radio, videos, programming guides/tools, comics, performing arts, museums, art galleries, or libraries. Includes sites for entertainment, celebrity, and industry news.
Extremism
Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions, or beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit access to extremist sites. Allowing access may also pose a liability risk.
Financial Services
Websites pertaining to personal financial information or advice, such as online banking, loans, mortgages, debt management, credit card companies, and insurance companies. Does not include sites relating to stock markets, brokerages, or trading services. Includes sites for foreign currency exchange. Includes sites for foreign currency exchange.
Gambling
Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials, or advice regarding gambling, including betting odds and pools. Corporate websites for hotels and casinos that do not enable gambling are categorized under Travel.
Games
Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/media.Includes sites that support or host online sweepstakes and/or giveaways.
Government
Official websites for local, state, and national governments, as well as related agencies, services, or laws.
Health and Medicine
Sites containing information regarding general health information, issues, and traditional and non-traditional tips, remedies, and treatments. Also includes sites for various medical specialties, practices and facilities (such as gyms and fitness clubs) as well as professionals. Sites relating to medical insurance and cosmetic surgery are also included.
Home and Garden
Information, products, and services regarding home repair and maintenance, architecture, design, construction, decor, and gardening.
Hunting and Fishing
Hunting and fishing tips, instructions, sale of related equipment and paraphernalia.
Internet Communications and Telephony
Sites that support or provide services for video chatting, instant messaging, or telephony capabilities.
Internet Portals
Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.
Job Search
Sites that provide job listings and employer reviews, interview advice and tips, or related services for both employers and prospective candidates.
Legal
Information, analysis, or advice regarding the law, legal services, legal firms, or other legal-related issues.
Military
Information or commentary regarding military branches, recruitment, current or past operations, or any related paraphernalia.
Motor Vehicles
Information relating to reviews, sales and trading, modifications, parts, and other related discussions for automobiles, motorcycles, boats, trucks, and RVs.
Music
Music sales, distribution, or information. Includes websites for music artists, groups, labels, events, lyrics, and other information regarding the music business. Does not include streaming music.
News
Online publications, newswire services, and other websites that aggregate current events, weather, or other contemporary issues. Includes newspapers, radio stations, magazines, and podcasts.
Not-Resolved
Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category.
When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL, if no match is found, it then checks the management plane cache, and if no match is found there, it queries the URL database in the cloud. When deciding on what action to take for traffic that is categorized as Not-Resolved, be aware that setting the action to block may be disruptive to users.
Nudity
Sites that contain nude or semi-nude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
Online Storage and Backup
Websites that provide online storage of files for free and as a service.
Peer-to-Peer
Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications. This is primarily for those sites that provide bittorrent download capabilities. Does not include shareware or freeware sites.
Personal Sites and Blogs
Personal websites and blogs by individuals or groups. Should try to first categorize based on content. For example, if someone has a blog just about cars, then the site should be categorized under Motor Vehicles. However, if the site is a pure blog, then it should remain under Personal Sites and Blogs.
Philosophy and Political Advocacy
Sites containing information, viewpoints, or campaigns regarding philosophical or political views.
Private IP Addresses
This category includes IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets? It also includes domains not registered with the public DNS system (*.local and *.onion).
Questionable
Websites containing tasteless humor or offensive content targeting specific demographics of individuals or groups of people.
Real Estate
Information on property rentals, sales, and related tips or information. Includes sites for real estate agents, firms, rental services, listings (and aggregates), and property improvement.
Recreation and Hobbies
Information, forums, associations, groups, and publications on recreation and hobbies.
Reference and Research
Personal, professional, or academic reference portals, materials, or services. Includes online dictionaries, maps, almanacs, census information, libraries, genealogy, and scientific information.
Religion
Information regarding various religions, related activities or events. Includes websites for religious organizations, officials, and places of worship. Includes fortune-telling sites.
Search Engines
Sites that provide a search interface using keywords, phrases, or other parameters that may return information, websites, images, or other files as results.
Sex Education
Information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, birth control, tips for better sex, as well as any related products or paraphernalia. Includes websites for related groups, forums, or organizations.
Shareware and Freeware
Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes or widgets for free and/or donations. Also includes open source projects.
Shopping
Sites that facilitate the purchase of goods and services. Includes online merchants, websites for department stores, retail stores, catalogs, as well as sites that aggregate and monitor prices. Sites listed here should be online merchants that sell a variety of items (or whose main purpose is online sales). A webpage for a cosmetics company that also happens to allow online purchasing should be categorized as Cosmetics and not Shopping.
Social Networking
User communities and sites where users interact with each other, post messages, pictures, or otherwise communicate with groups of people. Does not include blogs or personal sites.
Society
Topics relating to the general population, issues that impact a large variety of people, such as fashion, beauty, philanthropic groups, societies, or children. Also includes restaurant websites. Includes websites designed for children as well as restaurants.
Sports
Information about sporting events, athletes, coaches, officials, teams or organizations, sports scores, schedules and related news, and any related paraphernalia. Includes websites regarding fantasy sports and other virtual sports leagues.
Stock Advice and Tools
Information regarding the stock market, trading of stocks or options, portfolio management, investment strategies, quotes, or related news.
Streaming Media
Sites that stream audio or video content for free and/or purchase. Includes online radio stations and streaming music services.
Swimsuits and Intimate Apparel
Sites that include information or images concerning swimsuits, intimate apparel, or other suggestive clothing.
Training and Tools
Sites that provide online education, training, and related materials. Can include driving/traffic schools and workplace training.
Translation
Sites that provide translation services, including both user input and URL translations. These sites can also allow users to circumvent filtering as the target page's content is presented within the context of the translator's URL.
Travel
Information regarding travel tips, deals, pricing information, destination information, tourism, and related services. Includes websites for hotels, local attractions, casinos, airlines, cruise lines, travel agencies, vehicle rentals, and sites that provide booking tools such as price monitors. Includes websites for local points of interest/tourist attractions, such as the Eiffel Tower and the Grand Canyon.
Weapons
Sales, reviews, descriptions of or instructions regarding weapons and their use.
Web Advertisements
Advertisements, media, content, and banners.
Web Hosting
Free or paid for hosting services for web pages, including information regarding web development, publication, promotion, and other methods to increase traffic.
Web-based Email
Any website that provides access to an email inbox and the ability to send and receive emails.

Malicious URL Categories

We strongly recommend that you block the following URL categories that identify malicious or exploitive content.
  • command-and-control
    —Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
  • malware
    —Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
  • phishing
    —Known to host credential phishing pages or phishing for personal identification. This includes web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware are also included as phishing.
  • grayware
    —Websites and services that do not meet the definition of a virus or pose a direct security threat but displays obtrusive behavior and influences users to grant remote access or perform other unauthorized actions. Grayware includes scams, illegal activities, criminal activities, get rich quick sites, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser. Typosquatting domains that do not exhibit maliciousness and is not owned by the targeted domain will be categorized as grayware. Prior to Content release version 8206, the firewall placed grayware in either the malware or questionable URL category. If you are unsure about whether to block grayware, start by alerting on grayware, investigate the alerts, and then decide whether to block grayware or continue to alert on grayware.
  • dynamic-dns
    —Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
  • unknown
    —Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
    PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
  • newly-registered-domain
    —Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
  • copyright-infringement
    —Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
  • extremism
    —Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
  • proxy-avoidance-and-anonymizers
    —URLs and services often used to bypass content filtering products.
  • questionable
    — Websites containing tasteless humor, offensive content targeting specific demographics of individuals, or groups of people.
  • parked
    —Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block, you can very strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript for sites that you are alerting on.
  • Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
  • Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
  • Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
The following table lists categories that PAN-DB considers malicious
and
blocks by default, with the exception of
Private IP Addresses
. Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Category
Default Action
Malware
Block
Phishing
Command and Control
Grayware
Private IP Addresses
Allowed (no default action)

Security-Focused URL Categories

PAN-DB automatically evaluates and assigns a security risk category (
high-risk
,
medium-risk
, and
low-risk
) to URLs that it either has
not
classified as malicious or
no longer
classifies as malicious because they have displayed only benign activity for at least 30 days. Each risk category has specific criteria that a URL must meet to receive that classification and indicates the level of risk accessing that particular site poses. As site content changes, the risk category and policy enforcement dynamically adapts.
If PAN-DB determines that a URL belongs to a malicious URL category, it does not assign the site a security risk category. The firewall automatically blocks sites in these categories because they pose an unacceptable risk for most environments.
Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Security-focused URL categories facilitate targeted decryption and policy enforcement, helping reduce your attack surface. For example, you can block users from accessing high- and medium-risk websites and newly-registered domains or decrypt traffic to these categories if you choose to allow them.
The following table describes each security-focused URL category and the default and recommended policy actions for the category.
You cannot submit a change request for security-focused URL categories.
Security-Focused URL Categories
High-Risk
High-risk sites include:
  • Sites previously confirmed to be malware, phishing, or C2 sites. These sites will remain in this category for at least 30 days.
  • Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
  • Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
  • Bulletproof ISP-hosted sites.
  • Domains classified as DDNS due to the presence of an active dynamic DNS configuration.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
Default and Recommended Policy Action: Alert
Medium-Risk
Medium-risk sites include:
  • All cloud storage sites (with the URL category
    online-storage-and-backup
    ).
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days. These sites will remain in this category for an additional 60 days.
  • Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Default and Recommended Policy Action: Alert
Low-Risk
Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly-Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Default Policy Action: Alert
Recommended Policy Action: Block
Newly-registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It is a best practice to block this URL category.

Recommended For You