Advanced URL Filtering
Table of Contents
Learn about URL categories and their role in URL filtering, and explore the predefined categories and definitions used by PAN-DB to filter URLs.
Where can I use this?
What do I need?
Palo Alto Networks categorizes websites based on their content, features, and safety. Each URL category corresponds to a set of characteristics that is useful for creating policy rules. URLs that users on your network access are added to Palo Alto Networks URL filtering database, PAN-DB. PAN-DB assigns up to four URL categories, including risk categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic and granular policy control of sites. You can configure a URL Filtering profile to define site access for URL categories and apply the profile to Security policy rules that allow traffic to the internet. You can also use URL categories as match criteria in Security policy rules to ensure those rules apply only to websites in the specified categories. For example, you might configure a decryption policy rule that prevents decryption of traffic to the financial-services category.
You can create a custom URL category to exclude particular websites from category-based enforcement. Custom URL categories can be based on specific URLs (URL List) or other categories (Category Match). Custom URL categories of URL list type function as block and allow lists. Custom URL categories of Category Match type enable targeted enforcement for websites that match all categories defined as part of the custom category.
Predefined URL Categories
The following table lists predefined URL categories that PAN-DB uses to filter URLs. Some entries describe sites that are excluded from the category. Security-Focused URL Categories describes risk categories, which are not assigned to all URLs.
Sites that pertain to information or groups in favor of or against abortion, details regarding abortion procedures, help or support forums for or against abortion, or sites that provide information regarding the consequences or effects of pursuing (or not) an abortion.
Sites that promote the abuse of both legal and illegal drugs, the use and sale of drug-related paraphernalia, or the manufacturing or selling of drugs.
Sites with any sexually explicit material, media (including language, games, or comics), art, or products, online groups or forums that are sexually explicit in nature, and sites that promote adult services, such as video or telephone conferencing, escort services, and strip clubs.
Alcohol and Tobacco
Sites that pertain to the sale, manufacturing, or use of alcohol or tobacco products, and related paraphernalia. Includes sites related to electronic cigarettes.
Websites that use machine learning and deep learning models, including large language models, to provide services that would have typically required human intelligence. The services provided include but are not limited to chatbot, productivity, summarizer, transcriber, no-code, and audio or video editing-related services.
Sites that promote the sale of goods or properties to the highest bidder.
Auctions with donation purposes are categorized as Society.
Business and Economy
Sites with content related to marketing, management, economics, entrepreneurship, or running a business, including the following:
Excludes corporate websites, which should be categorized with their technology or industry.
* Sites related to conferences should be categorized based on the content. If a site's content isn't specific, it is categorized as Business and Economy.
Command and Control
Command-and-control (C2) URLs and domains used by malware or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
Computer and Internet Info
Sites that provide general information about computers and the internet, including sites about the following topics:
Programming may have some overlap with the Reference and Research category, but the primary category should be Computer and Internet Info.
Content Delivery Networks
Sites whose primary focus is delivering content, such as advertisements, media, files, and image servers, to third parties.
Domains with illegal content, such as content that allows the illegal download of software or other intellectual property, which poses a potential liability risk.
Excludes sites that provide peer-to-peer file exchange services and general streaming media (these sites have their own category).
This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
Sites that promote cryptocurrencies, cryptomining (but not embedded crypto miners) sites, cryptocurrency exchanges and vendors, and sites that manage cryptocurrency wallets and ledgers.
Excludes sites that reference cryptocurrency, such as sites for traditional financial services (Financial Services), sites that explain how cryptocurrencies and blockchain technology work (Computer and Internet Info), and sites that contain embedded cryptocurrency miners (Grayware).
Sites offering online dating services, advice, or other personal ads.
Excludes dating sites that offer sexual chat rooms, which are categorized as Adult.
Sites that provide or utilize dynamic DNS services to associate domain names with dynamic IP addresses.
Dynamic DNS is often used by attackers for command-and-control communication and other malicious purposes.
Official sites for schools, colleges, universities, school districts, online classes, and other academic institutions. Also includes sites for tutoring academies.
This category refers to larger, established educational institutions, such as elementary schools, high schools, and universities.
Sites for DNS resolver service providers, which offer security and privacy for end users by encrypting DNS requests and responses using protocols like DNS over HTTPS (DoH).
Entertainment and Arts
Sites for movies, television, radio, videos, programming guides or tools, comics, performing arts, museums, art galleries, or libraries. Includes sites for the following:
Sites promoting terrorism, racism, fascism, or other views that discriminate against people or groups of different ethnic backgrounds, religions, and other beliefs.
Excludes websites that discuss controversial political or religious views, which fall under the Philosophy and Political Advocacy and Religion categories, respectively.
This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit access to extremist sites. Allowing access may also pose a liability risk.
Sites pertaining to personal finances or advice, such as online banking, loans, mortgages, debt management, credit card companies, foreign currency exchanges (FOREX), and insurance companies.
Excludes sites related to health insurance, stock markets, brokerages, or trading services.
Sites that facilitate the exchange of real or virtual money through lotteries or gambling. Includes related sites that provide information, tutorials, or advice on gambling, such as how to bet odds and pools.
Excludes corporate websites for hotels and casinos that don't enable gambling (Travel) and sites for manufacturers of gambling machines.
Sites that provide online play or downloads of video or computer games, game reviews, tips, cheats, or related publications and media. Includes sites that provide instructions for nonelectronic games, facilitate the sale or trade of board games, or support or host online sweepstakes and giveaways.
Official websites for local, state, and national governments, as well as related agencies, services, or laws.
Excludes sites for public libraries and military institutions, which fall under the Reference and Research and Military categories, respectively.
Sites with content that don't pose a direct security threat but that display other intrusive behavior and tempt end users to grant remote access or perform other unauthorized actions.
Grayware includes the following:
Sites related to the illegal or questionable access to or use of communications equipment or software, including the development and distribution of such programs, how-to-advice, or tips that may result in the compromise of networks and systems. Includes sites that facilitate the bypass of licensing and digital rights systems.
Health and Medicine
Sites containing information regarding general health, issues, and traditional and nontraditional tips, remedies, and treatments. Includes sites for the following:
Home and Garden
Sites with information, products, and services related to home repair and maintenance, architecture, design, construction, decor, and gardening. Includes cleaning services and office furniture.
Hunting and Fishing
Sites that provide hunting and fishing tips or instructions or facilitate the sale of related equipment and paraphernalia.
Excludes websites that primarily sell firearms (even if they are used for hunting); these websites fall under the Weapons category.
Sites and services that present test pages, have no content, provide API access not intended for end-user display, or require authentication without displaying any other content suggesting a different categorization.
Excludes websites providing remote access, such as web-based VPN solutions, web-based email services, or identified credential phishing pages.
Internet Communications and Telephony
Sites that support or provide services for video chatting, instant messaging, or other telephony capabilities.
Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.
Sites that provide job listings, employer reviews, interview advice and tips, or related services for both employers and prospective candidates.
Sites that provide information, analysis, or advice regarding the law, legal services, legal firms, or other legal-related issues.
Sites containing or known to host malicious content, executables, scripts, viruses, trojans, and code.
Sites with information or commentary on military branches, recruitment, current or past operations, or any related paraphernalia. Includes sites for military and veteran associations.
Sites with information relating to reviews, sales, trading, modification, parts, and other related discussions of automobiles, motorcycles, boats, trucks, and recreational vehicles (RVs).
Sites related to music sales, distribution, or information. Includes websites for music artists, groups, labels, events, lyrics, and other information regarding the music business.
Excludes music streaming sites, which fall under the Streaming Media category.
Newly Registered Domains
Sites that have been registered within the last 32 days. Newly registered domains are often generated purposely or by domain generation algorithms and can be used for malicious activity.
Online publications, newswire services, and other websites that aggregate current events, weather, or other contemporary issues. Includes the following:
If the magazine or news website focuses on a specific topic like sports, travel, fashion, it gets categorized based on the dominant content on the site.
This category indicates that the website wasn't found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category.
Sites that contain nude or seminude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
Online Storage and Backup
Sites that provide online storage of files for free or as a service. Includes photo-sharing sites.
URLs that host limited content or click-through ads, which may generate revenue for the host entity but generally don't contain content that is useful to end users. Includes domains that are for sale.
Excludes parked sites with adult content, which fall under the Adult category.
Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications. Primarily applicable to those sites with BitTorrent download capabilities.
Excludes shareware or freeware sites.
Personal Sites and Blogs
Personal websites and blogs by individuals or groups.
Sites in this category are primarily categorized based on content. For example, a blog about cars should be categorized under Motor Vehicles. However, if the site is a pure blog, then it should remain under Personal Sites and Blogs.
Philosophy and Political Advocacy
Sites containing information, viewpoints, or campaigns regarding philosophical or political views. Includes online ballots.
Web content that covertly attempts to harvest information, such as login credentials, credit card information, account numbers, PINs, and other personally identifiable information (PII), voluntarily or involuntarily, from victims using social engineering techniques. Includes technical support scams and scareware.
Private IP Addresses
Includes IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets,' which are as follows:
Includes domains not registered with the public DNS system (such as *.local and *.onion).
Proxy Avoidance and Anonymizers
Proxy servers and other methods that bypass URL filtering or monitoring. Includes VPNs used to avoid proxies and act as an anonymizer.
Excludes VPNs with corporate-level usage, which fall under the Internet Communication and Telephony category.
Sites containing tasteless humor or offensive content targeting specific demographics of individuals or groups of people.
Sites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid. Includes URLs that deliver related stealers, wipers, and loaders that may carry ransomware payloads.
Sites that provide information on property rentals, sales, and related tips or information, including sites for the following:
Excludes sites for mortgage and loan servicers, which fall under the Financial Services category.
Real-Time Detection (
Advanced URL Filtering only)
URLs that have been analyzed and detected by real-time inline analysis as part of Advanced URL Filtering.
Recreation and Hobbies
Sites that consist of information, forums, associations, groups, or publications related to recreational activities and hobbies.
Excludes sites that sell products related to recreational activities or hobbies, such as REI.com, which fall under the Shopping category.
Reference and Research
Sites that provide personal, professional, or academic reference portals, materials, or services, including online dictionaries, maps, almanacs, census information, libraries, genealogy, and scientific information. Includes sites for or related to the following:
Sites with information regarding various religions, related activities, or events. Includes sites for religious organizations, religious officials, places of worship, fortune-telling, astrology, horoscopes, and religious paraphernalia.
Excludes private primary or secondary schools affiliated with a religious organization, such as Catholic schools, with a curriculum that teaches general religious education and secular subjects. These school websites fall under the Educational Institutions category.
Scanning Activity (
Advanced URL Filtering only)
Campaigns that are conducted by adversaries that can be indicators of compromise, or attempts at conducting targeted attacks or probing for existing vulnerabilities. These are usually part of reconnaissance activity conducted by adversaries.
Sites that provide a search interface using keywords, phrases, or other parameters that may return information, websites, images, or other files as results.
Sites that provide information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, birth control, tips for better sex, and any related products or paraphernalia. Includes sites for related groups, forums, or organizations.
Shareware and Freeware
Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes, or widgets for free or donations. Includes open source projects.
Sites that facilitate the purchase of goods and services. Includes online merchants, sites for department stores, retail stores, catalogs, and price aggregation or monitoring tools.
Sites under this category should be an online merchant that sells a variety of items (or whose main purpose is online sales). A webpage for a cosmetics company that happens to allow online purchasing is categorized as Cosmetics not Shopping.
User communities or sites where users interact with each other, post messages, pictures, and otherwise communicate with groups of people.
Excludes personal sites, blogs, or forums, which fall under the Personal Sites and Blogs category.
Sites with content related to the general population or issues that impact a large variety of people, such as fashion, beauty, philanthropic groups, societies, or children. Includes restaurant websites.
Excludes corporate websites related to food, such as Burger King, which fall under the Business and Economy category.
Sites about sporting events, athletes, coaches, officials, teams or organizations, scores, schedules, related news, or sports paraphernalia. Includes websites for fantasy sports and virtual sports leagues.
Excludes sites with the main purpose of selling sports goods, which fall under the Shopping category.
Stock Advice and Tools
Sites with information about the stock market, trading of stocks or options, portfolio management, investment strategies, quotes, or related news.
Sites that stream audio or video content for free or purchase, including sites for online radio stations, streaming music services, and the archiving of podcasts.
Swimsuits and Intimate Apparel
Sites that include information or images concerning swimsuits, intimate apparel, or other suggestive clothing.
Training and Tools
Sites that provide online education, training, and related materials. Includes driving or traffic schools, workplace training, games, applications, tools with educational purposes, and tutoring academies.
Specific skills classes are categorized based on the subject. For example, websites for music classes fall under the Music category.
Sites that provide translation services, including both user input and URL translations. These sites can also allow users to circumvent filtering as the target page's content is presented within the context of the translator's URL.
Sites that provide information about travel, such as tips, deals, pricing, destination information, tourism, and related services, such as booking or price monitoring tools. Includes websites for the following:
Sites that have not yet been identified by Palo Alto Networks.
If availability of this site is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
PAN-DB Real-Time Updates learn unknown sites after a first attempt to access these sites, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
Sites that handle sales or offer reviews, descriptions of, or instructions regarding weapons, armor, and bulletproof vests, and their use.
Sites related to clay shooting, shooting ranges, and archery receive the primary category of Weapons and a secondary category of Sports.
Sites with advertisements, media, content, and banners. Includes pages for subscribing and unsubscribing from newsletters or ads.
Any website that provides access to an email inbox and the ability to send and receive emails.
Excludes company webmail services, which should be categorized as the company's category.
Sites that offer free or paid hosting services for web pages. Includes sites with information about web development, publishing, promotions, and other methods to increase traffic.
Security-Focused URL Categories
PAN-DB automatically evaluates and assigns a risk category (
low-risk) to URLs that it either has
notclassified as malicious or
no longerclassifies as malicious because they have displayed only benign activity for at least 30 days. Each risk category has specific criteria that must be met for a URL to receive a given category. As site content changes, the risk category and policy enforcement dynamically adapt.
If PAN-DB determines that a URL belongs to a malicious URL category, it does not assign the site a risk category. Instead, the firewall automatically blocks the site because it poses an unacceptable risk for most environments.
Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Security-focused URL categories facilitate targeted decryption and policy enforcement, helping reduce your attack surface. For example, you can block users from accessing high- and medium-risk websites and newly registered domains or decrypt traffic to these categories if you choose to allow them.
The following table lists descriptions and default and recommended policy actions for each risk category.
You cannot submit a change request for security-focused URL categories.
Default and Recommended Policy Action: Alert
Default and Recommended Policy Action: Alert
Sites that are not medium or high risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Newly registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It’s a best practice to block this URL category.
Default Policy Action: Alert
Recommended Policy Action: Block
Malicious URL Categories
We strongly recommend that you block the following URL categories, which identify malicious or exploitative content and behavior.
For categories that you alert on, instead of block, you can strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
The following table lists categories that PAN-DB considers malicious
andblocks by default, with the exception of
Private IP Addresses. Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Command and Control
Private IP Addresses
Allowed (no default action)