URL Categories
URL categories are key to URL filtering. Explore the
URL categories that sites can be assigned, and learn how to use
them in targeted web security policy.
Where can I use
this? | What do I need? |
---|---|
|
|
Palo Alto Networks categorizes websites based on site content,
features, and safety. Each URL category corresponds to a set of
characteristics that is useful for URL filtering policy creation. URLs
that network users access are added to Palo Alto Networks URL filtering database,
PAN-DB. PAN-DB assigns up to four URL categories, including risk
categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic
and granular policy control of sites. You can configure a URL Filtering profile to
define site access for URL categories and apply the profile to Security
policy rules that allow traffic to the internet. You can also use
URL categories as match criteria in Security policy rules to ensure those
rules apply only to websites in the specified categories. For example,
you might configure a Decryption policy rule that prevents decryption
of traffic to the financial-services category.
To check the categories of a specific URL, enter the URL into Test A Site, our URL lookup engine. If
you believe a URL is incorrectly categorized, submit a URL category change
request by clicking
Request Change
,
which follows category information for the URL.Custom
URL Categories
You can create a custom URL
category to exclude particular websites from category-based
enforcement. Custom URL categories can be based on specific URLs (URL
List) or other categories (Category Match). Custom URL categories
of URL list type function as block and allow lists. Custom URL categories
of Category Match type enable targeted enforcement for websites
that match all categories defined as part of the custom category.
Predefined URL Categories
The following table list the predefined
URL categories that PAN-DB assigns to URLs you access and which
you can use in URL Filtering profiles and Security policy rules.
For more information about risk categories, see Security-Focused URL Categories.
URL Category | Description |
---|---|
Risk Categories | |
High Risk |
|
Medium Risk |
|
Low Risk | Any site that is not high risk or medium
risk is considered low risk. This includes sites that were previously
confirmed as malicious but have displayed benign activity for at
least 90 days. |
Threat Categories | |
Command and Control | Command-and-control URLs and domains used by
malware and/or compromised systems to surreptitiously communicate
with an attacker's remote server to receive malicious commands or exfiltrate
data. |
Malware | Sites known to host malware or used for command
and control (C2) traffic. May also exhibit Exploit Kits. |
Threat Adjacent Categories | |
Dynamic DNS | Hosts and domain names for systems with dynamically
assigned IP addresses and which are oftentimes used to deliver malware
payloads or C2 traffic. Also, dynamic DNS domains do not go through the
same vetting process as domains that are registered by a reputable
domain registration company, and are therefore less trustworthy. |
Grayware | Web content that does not pose a direct security
threat but that display other obtrusive behavior and tempt the end
user to grant remote access or perform other unauthorized actions. Grayware
includes illegal activities, criminal activities, rogueware, adware,
and other unwanted or unsolicited applications, such as embedded
crypto miners, clickjacking, or hijackers that change the elements
of the browser. Typosquatting domains that do not exhibit maliciousness
and are not owned by the targeted domain will be categorized as grayware. |
Hacking | Sites relating to the illegal or questionable access
to or the use of communications equipment/software. Development
and distribution of programs, how-to-advice and/or tips that may
result in the compromise of networks and systems. Also includes
sites that facilitate the bypass of licensing and digital rights
systems. |
Phishing | Web content that covertly attempts to fool
the user in order to harvest information, including login credentials,
credit card information – voluntarily or involuntarily, account
numbers, PINs, and any information considered to be personally identifiable information
(PII) from victims via social engineering techniques. Technical
support scams and scareware is also included as phishing. |
Suspicious | |
Insufficient Content | Websites and services that present test
pages, no content, provide API access not intended for end-user
display or require authentication without displaying any other content
suggesting a different categorization. Should not include websites
providing remote access, such as web-based VPN solutions, web-based
email services, or identified credential phishing pages. |
Newly Registered Domain | Newly registered domains are often generated purposely
or by domain generation algorithms and used for malicious activity. |
Parked | Domains registered by individuals, oftentimes later
found to be used for credential phishing. These domains may be similar
to legitimate domains, for example, pal0alto0netw0rks.com, with
the intent of phishing for credentials or personally identifiable information.
Or, they may be domains that an individual purchases rights to in
hopes that it may be valuable someday, such as panw.net. |
Proxy Avoidance and Anonymizers | URLs and services often used to bypass content filtering
products. |
Unknown | Sites that have not yet been identified
by Palo Alto Networks. If availability is critical to your business
and you must allow the traffic, alert on unknown sites, apply the
best practice Security profiles to the traffic, and investigate
the alerts. |
Legal/Policy | |
Abortion | Sites that pertain to information or groups
in favor of or against abortion, details regarding abortion procedures,
help or support forums for or against abortion, or sites that provide
information regarding the consequences/effects of pursuing (or not)
an abortion. |
Abused Drugs | Sites that promote the abuse of both legal
and illegal drugs, the use and sale of drug-related paraphernalia,
or the manufacturing and/or selling of drugs. |
Adult | Sexually explicit material, media (including language),
art, and/or products, online groups or forums that are sexually
explicit in nature. Sites that promote adult services such as video/telephone conferencing,
escort services, strip clubs, etc. Anything containing adult content
(even if it's games or comics) will be categorized as Adult. |
Alcohol and Tobacco | Sites that pertain to the sale, manufacturing, or
use of alcohol and/or tobacco products and related paraphernalia.
Includes sites related to electronic cigarettes. |
Auctions | Sites that promote the sale of goods between individuals. |
Business and Economy | Marketing, management, economics, and sites relating
to entrepreneurship or running a business. Includes advertising
and marketing firms. Should not include corporate websites as they
should be categorized with their technology. Also shipping sites, such
as fedex.com and ups.com. |
Computer and Internet Info | General information regarding computers
and the internet. Should include sites about computer science, engineering,
hardware, software, security, programming, etc. Programming may
have some overlap with Reference, but the main category should remain
Computer and Internet Info. |
Content Delivery Networks | Sites whose primary focus is delivering
content to 3rd parties such as advertisements, media, files, etc.
Also includes image servers. |
Copyright Infringement | Domains with illegal content, such as content that
allows the illegal download of software or other intellectual property,
which poses a potential liability risk. This category was introduced
to enable adherence to child protection laws required in the education
industry as well as laws in countries that require internet providers
to prevent users from sharing copyrighted material through their service. |
Cryptocurrency | Websites that promote cryptocurrencies, crypto mining
websites (but not embedded crypto miners), cryptocurrency exchanges
and vendors, and websites that manage cryptocurrency wallets and
ledgers. This category does not include traditional financial services
websites that reference cryptocurrencies, websites that explain
and describe how cryptocurrencies and blockchains work, or websites that
contain embedded cryptocurrency miners (grayware). |
Dating | Websites offering online dating services, advice,
and other personal ads. |
Educational Institutions | Official websites for schools, colleges, universities,
school districts, online classes, and other academic institutions.
These refer to larger, established educational institutions such
as elementary schools, high schools, universities, etc. Tutoring
academies can go here as well. |
Entertainment and Arts | Sites for movies, television, radio, videos, programming
guides/tools, comics, performing arts, museums, art galleries, or
libraries. Includes sites for entertainment, celebrity, and industry
news. |
Extremism | Websites promoting terrorism, racism, fascism, or
other extremist views discriminating against people or groups of
different ethnic backgrounds, religions, or beliefs. This category
was introduced to enable adherence to child protection laws required
in the education industry. In some regions, laws and regulations
may prohibit access to extremist sites. Allowing access may also
pose a liability risk. |
Financial Services | Websites pertaining to personal financial information
or advice, such as online banking, loans, mortgages, debt management,
credit card companies, and insurance companies. Does not include
sites relating to stock markets, brokerages, or trading services.
Includes sites for foreign currency exchange. Includes sites for
foreign currency exchange. |
Gambling | Lottery or gambling websites that facilitate
the exchange of real and/or virtual money. Related websites that
provide information, tutorials, or advice regarding gambling, including
betting odds and pools. Corporate websites for hotels and casinos
that do not enable gambling are categorized under Travel. |
Games | Sites that provide online play or download
of video and/or computer games, game reviews, tips, or cheats, as
well as instructional sites for non-electronic games, sale/trade
of board games, or related publications/media.Includes sites that
support or host online sweepstakes and/or giveaways. |
Government | Official websites for local, state, and
national governments, as well as related agencies, services, or
laws. |
Health and Medicine | Sites containing information regarding general health
information, issues, and traditional and non-traditional tips, remedies,
and treatments. Also includes sites for various medical specialties, practices
and facilities (such as gyms and fitness clubs) as well as professionals.
Sites relating to medical insurance and cosmetic surgery are also included. |
Home and Garden | Information, products, and services regarding home
repair and maintenance, architecture, design, construction, decor,
and gardening. |
Hunting and Fishing | Hunting and fishing tips, instructions,
sale of related equipment and paraphernalia. |
Internet Communications and Telephony | Sites that support or provide services for
video chatting, instant messaging, or telephony capabilities. |
Internet Portals | Sites that serve as a starting point for
users, usually by aggregating a broad set of content and topics. |
Job Search | Sites that provide job listings and employer reviews,
interview advice and tips, or related services for both employers
and prospective candidates. |
Legal | Information, analysis, or advice regarding
the law, legal services, legal firms, or other legal-related issues. |
Military | Information or commentary regarding military branches,
recruitment, current or past operations, or any related paraphernalia. |
Motor Vehicles | Information relating to reviews, sales and trading,
modifications, parts, and other related discussions for automobiles,
motorcycles, boats, trucks, and RVs. |
Music | Music sales, distribution, or information. Includes
websites for music artists, groups, labels, events, lyrics, and
other information regarding the music business. Does not include
streaming music. |
News | Online publications, newswire services,
and other websites that aggregate current events, weather, or other
contemporary issues. Includes newspapers, radio stations, magazines,
and podcasts. |
Not-Resolved | Indicates that the website was not found
in the local URL filtering database and the firewall was unable
to connect to the cloud database to check the category. When
a URL category lookup is performed, the firewall first checks the
dataplane cache for the URL, if no match is found, it then checks
the management plane cache, and if no match is found there, it queries the
URL database in the cloud. When deciding on what action to take
for traffic that is categorized as Not-Resolved, be aware that setting
the action to block may be disruptive to users. |
Nudity | Sites that contain nude or semi-nude depictions
of the human body, regardless of context or intent, such as artwork.
Includes nudist or naturist sites containing images of participants. |
Online Storage and Backup | Websites that provide online storage of
files for free and as a service. |
Peer-to-Peer | Sites that provide access to or clients
for peer-to-peer sharing of torrents, download programs, media files,
or other software applications. This is primarily for those sites
that provide bittorrent download capabilities. Does not include
shareware or freeware sites. |
Personal Sites and Blogs | Personal websites and blogs by individuals
or groups. Should try to first categorize based on content. For
example, if someone has a blog just about cars, then the site should
be categorized under Motor Vehicles. However, if the site is a pure
blog, then it should remain under Personal Sites and Blogs. |
Philosophy and Political Advocacy | Sites containing information, viewpoints,
or campaigns regarding philosophical or political views. |
Private IP Addresses | This category includes IP addresses defined
in RFC 1918, 'Address Allocation for Private Intranets? It also
includes domains not registered with the public DNS system (*.local
and *.onion). |
Questionable | Websites containing tasteless humor or offensive
content targeting specific demographics of individuals or groups
of people. |
Real Estate | Information on property rentals, sales,
and related tips or information. Includes sites for real estate
agents, firms, rental services, listings (and aggregates), and property
improvement. |
Recreation and Hobbies | Information, forums, associations, groups,
and publications on recreation and hobbies. |
Reference and Research | Personal, professional, or academic reference portals,
materials, or services. Includes online dictionaries, maps, almanacs,
census information, libraries, genealogy, and scientific information. |
Religion | Information regarding various religions,
related activities or events. Includes websites for religious organizations,
officials, and places of worship. Includes fortune-telling sites. |
Search Engines | Sites that provide a search interface using keywords,
phrases, or other parameters that may return information, websites,
images, or other files as results. |
Sex Education | Information on reproduction, sexual development,
safe sex practices, sexually transmitted diseases, birth control,
tips for better sex, as well as any related products or paraphernalia.
Includes websites for related groups, forums, or organizations. |
Shareware and Freeware | Sites that provide access to software, screensavers,
icons, wallpapers, utilities, ringtones, themes or widgets for free
and/or donations. Also includes open source projects. |
Shopping | Sites that facilitate the purchase of goods
and services. Includes online merchants, websites for department
stores, retail stores, catalogs, as well as sites that aggregate
and monitor prices. Sites listed here should be online merchants
that sell a variety of items (or whose main purpose is online sales).
A webpage for a cosmetics company that also happens to allow online
purchasing should be categorized as Cosmetics and not Shopping. |
Social Networking | User communities and sites where users interact
with each other, post messages, pictures, or otherwise communicate
with groups of people. Does not include blogs or personal sites. |
Society | Topics relating to the general population,
issues that impact a large variety of people, such as fashion, beauty,
philanthropic groups, societies, or children. Also includes restaurant
websites. Includes websites designed for children as well as restaurants. |
Sports | Information about sporting events, athletes, coaches,
officials, teams or organizations, sports scores, schedules and
related news, and any related paraphernalia. Includes websites regarding
fantasy sports and other virtual sports leagues. |
Stock Advice and Tools | Information regarding the stock market, trading
of stocks or options, portfolio management, investment strategies,
quotes, or related news. |
Streaming Media | Sites that stream audio or video content
for free and/or purchase. Includes online radio stations and streaming
music services. |
Swimsuits and Intimate Apparel | Sites that include information or images concerning
swimsuits, intimate apparel, or other suggestive clothing. |
Training and Tools | Sites that provide online education, training, and
related materials. Can include driving/traffic schools and workplace
training. |
Translation | Sites that provide translation services, including
both user input and URL translations. These sites can also allow
users to circumvent filtering as the target page's content is presented
within the context of the translator's URL. |
Travel | Information regarding travel tips, deals,
pricing information, destination information, tourism, and related
services. Includes websites for hotels, local attractions, casinos,
airlines, cruise lines, travel agencies, vehicle rentals, and sites
that provide booking tools such as price monitors. Includes websites
for local points of interest/tourist attractions, such as the Eiffel
Tower and the Grand Canyon. |
Weapons | Sales, reviews, descriptions of or instructions regarding
weapons and their use. |
Web Advertisements | Advertisements, media, content, and banners. |
Web Hosting | Free or paid for hosting services for web
pages, including information regarding web development, publication,
promotion, and other methods to increase traffic. |
Web-based Email | Any website that provides access to an email inbox
and the ability to send and receive emails. |
Malicious URL Categories
We strongly recommend that you block the following URL
categories that identify malicious or exploitive content.
- command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
- malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
- phishing—Known to host credential phishing pages or phishing for personal identification. This includes web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware are also included as phishing.
- grayware—Websites and services that do not meet the definition of a virus or pose a direct security threat but displays obtrusive behavior and influences users to grant remote access or perform other unauthorized actions. Grayware includes scams, illegal activities, criminal activities, get rich quick sites, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser. Typosquatting domains that do not exhibit maliciousness and is not owned by the targeted domain will be categorized as grayware. Prior to Content release version 8206, the firewall placed grayware in either the malware or questionable URL category. If you are unsure about whether to block grayware, start by alerting on grayware, investigate the alerts, and then decide whether to block grayware or continue to alert on grayware.
- dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
- unknown—Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
- newly-registered-domain—Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
- copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
- extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
- proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
- questionable— Websites containing tasteless humor, offensive content targeting specific demographics of individuals, or groups of people.
- parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block,
you can very strictly control how users interact with site content.
For example, give users access to the resources they need (like
developer blogs for research purposes or cloud storage services),
but take the following precautions to reduce exposure to web-based
threats:
- Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript for sites that you are alerting on.
- Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
- Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
The following table lists categories that PAN-DB
considers malicious
and
blocks by default, with the exception
of Private IP Addresses
. Private IP
addresses (and hosts) are unique to the host environment and are
invisible to PAN-DB. As a result, Palo Alto Networks does not assign
a risk rating to sites in this category.Category | Default Action |
---|---|
Malware | Block |
Phishing | |
Command and Control | |
Grayware | |
Private IP Addresses | Allowed (no default action) |
Security-Focused URL Categories
PAN-DB automatically evaluates and assigns a security
risk category (
high-risk
, medium-risk
,
and low-risk
) to URLs that it either
has not
classified as malicious or no longer
classifies
as malicious because they have displayed only benign activity for
at least 30 days. Each risk category
has specific criteria that a URL must meet to receive that classification
and indicates the level of risk accessing that particular site poses.
As site content changes, the risk category and policy enforcement
dynamically adapts.If PAN-DB determines that a URL belongs to a malicious URL category, it does
not assign the site a security risk category. The firewall automatically blocks
sites in these categories because they pose an unacceptable risk
for most environments.
Private IP addresses (and hosts) are
unique to the host environment and are invisible to PAN-DB. As a
result, Palo Alto Networks does not assign a risk rating to sites
in this category.
Security-focused URL categories facilitate targeted decryption
and policy enforcement, helping reduce your attack surface. For
example, you can block users from accessing high- and medium-risk
websites and newly-registered domains or decrypt traffic to these
categories if you choose to allow them.
The following table describes each security-focused URL category
and the default and recommended policy actions for the category.
You cannot submit a change request for security-focused
URL categories.
Security-Focused URL Categories | |
---|---|
High-Risk | High-risk sites include:
Default and Recommended Policy Action:
Alert |
Medium-Risk | Medium-risk sites include:
Default
and Recommended Policy Action: Alert |
Low-Risk | Sites that are not medium or high risk are considered
low risk. These sites have displayed benign activity for a minimum
of 90 days. Default and Recommended Policy Action: Allow |
Newly-Registered Domains | Identifies sites that have been registered
within the last 32 days. New domains are frequently used as tools
in malicious campaigns. Default Policy Action: Alert Recommended
Policy Action: Block Newly-registered domains
are often generated purposefully or by domain generation algorithms
and used for malicious activity. It is a best practice to block
this URL category. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.