Advanced URL Filtering
URL Categories
Table of Contents
End-of-Life (EoL)
URL Categories
Learn about URL categories and their role in URL filtering, and explore the predefined
categories and definitions used by PAN-DB to filter URLs.
Where can I use
this? | What do I need? |
|---|---|
|
Notes:
|
Palo Alto Networks categorizes websites based on their content, features, and safety. Each URL
category corresponds to a set of characteristics that is useful for creating policy
rules. URLs that users on your network access are added to Palo Alto Networks URL
filtering database, PAN-DB. PAN-DB assigns up to four URL categories, including risk
categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic and granular policy control of
sites. You can configure a URL Filtering profile to define
site access for URL categories and apply the profile to Security policy rules that allow
traffic to the internet. You can also use URL categories as match criteria in Security
policy rules to ensure those rules apply only to websites in the specified categories.
For example, you might configure a decryption policy rule that prevents decryption of
traffic to the financial-services category.
To check the categories of a specific URL, enter the URL into Test A Site, our URL lookup engine. If
you believe a URL is incorrectly categorized, submit a category change request.
Custom
URL Categories
You can create a custom URL
category to exclude particular websites from category-based
enforcement. Custom URL categories can be based on specific URLs
(URL List) or other categories (Category Match). Custom URL categories
of URL list type function as block and allow lists. Custom URL categories
of Category Match type enable targeted enforcement for websites
that match all categories defined as part of the custom category.
Predefined URL Categories
The following table lists predefined URL categories that PAN-DB uses to filter URLs.
Some entries describe sites that are excluded from the category. Security-Focused URL Categories describes
risk categories, which are not assigned to all URLs.
URL Category | Description |
|---|---|
Abortion | Sites that pertain to information or groups in favor of
or against abortion, details regarding abortion procedures, help
or support forums for or against abortion, or sites that provide
information regarding the consequences or effects of pursuing
(or not) an abortion. |
Abused Drugs | Sites that promote the abuse of both legal and illegal drugs, the
use and sale of drug-related paraphernalia, or the manufacturing
or selling of drugs. |
Adult | Sites with any sexually explicit material, media (including
language, games, or comics), art, or products, online groups or
forums that are sexually explicit in nature, and sites that
promote adult services, such as video or telephone conferencing,
escort services, and strip clubs. |
Alcohol and Tobacco | Sites that pertain to the sale, manufacturing, or use of alcohol
or tobacco products, and related paraphernalia. Includes sites
related to electronic cigarettes. |
Artificial Intelligence | Websites that use machine learning and deep learning
models, including large language models, to provide services that
would have typically required human intelligence. The services
provided include but are not limited to chatbot, productivity,
summarizer, transcriber, no-code, and audio or video editing-related
services. |
Auctions | Sites that promote the sale of goods or properties to the highest
bidder. Auctions with donation purposes are
categorized as Society. |
Business and Economy | Sites with content related to marketing, management, economics,
entrepreneurship, or running a business, including the
following:
Excludes corporate websites, which should be categorized with
their technology or industry. * Sites related to conferences should be
categorized based on the content. If a site's content isn't
specific, it is categorized as Business and Economy. |
Command and Control | Command-and-control (C2) URLs and domains used by malware or
compromised systems to surreptitiously communicate with an
attacker's remote server to receive malicious commands or
exfiltrate data. |
Computer and Internet Info | Sites that provide general information about computers and the
internet, including sites about the following topics:
Programming may have some overlap with
the Reference and Research category, but the primary category
should be Computer and Internet Info. |
Content Delivery Networks | Sites whose primary focus is delivering content, such as
advertisements, media, files, and image servers, to third
parties. |
Copyright Infringement | Domains with illegal content, such as content that allows the
illegal download of software or other intellectual property,
which poses a potential liability risk. Excludes sites that provide peer-to-peer file exchange services
and general streaming media (these sites have their own
category). This category was introduced to enable
adherence to child protection laws required in the education
industry as well as laws in countries that require internet
providers to prevent users from sharing copyrighted material
through their service. |
Cryptocurrency | Sites that promote cryptocurrencies, cryptomining (but not
embedded crypto miners) sites, cryptocurrency exchanges and
vendors, and sites that manage cryptocurrency wallets and
ledgers. Excludes sites that reference cryptocurrency, such as sites for
traditional financial services (Financial Services), sites that
explain how cryptocurrencies and blockchain technology work
(Computer and Internet Info), and sites that contain embedded
cryptocurrency miners (Grayware). |
Dating | Sites offering online dating services, advice, or other personal
ads. Excludes dating sites that offer sexual chat rooms, which are
categorized as Adult. |
Dynamic DNS | Sites that provide or utilize dynamic DNS services to associate
domain names with dynamic IP addresses. Dynamic DNS is often used by attackers
for command-and-control communication and other malicious
purposes. |
Educational Institutions | Official sites for schools, colleges, universities, school
districts, online classes, and other academic institutions. Also
includes sites for tutoring academies. This category refers to larger,
established educational institutions, such as elementary
schools, high schools, and universities. |
Encrypted DNS | Sites for DNS resolver service providers, which offer security
and privacy for end users by encrypting DNS requests and
responses using protocols like DNS over HTTPS (DoH). |
Entertainment and Arts | Sites for movies, television, radio, videos, programming guides
or tools, comics, performing arts, museums, art galleries, or
libraries. Includes sites for the following:
|
Extremism | Sites promoting terrorism, racism, fascism, or other views that
discriminate against people or groups of different ethnic
backgrounds, religions, and other beliefs. Excludes websites that discuss controversial political or
religious views, which fall under the Philosophy and Political
Advocacy and Religion categories, respectively. This category was introduced to enable
adherence to child protection laws required in the education
industry. In some regions, laws and regulations may prohibit
access to extremist sites. Allowing access may also pose a
liability risk. |
Financial Services | Sites pertaining to personal finances or advice, such as online
banking, loans, mortgages, debt management, credit card
companies, foreign currency exchanges (FOREX), and insurance
companies. Excludes sites related to health insurance, stock markets,
brokerages, or trading services. |
Gambling | Sites that facilitate the exchange of real or virtual money
through lotteries or gambling. Includes related sites that
provide information, tutorials, or advice on gambling, such as
how to bet odds and pools. Excludes corporate websites for hotels and casinos that don't
enable gambling (Travel) and sites for manufacturers of gambling
machines. |
Games | Sites that provide online play or downloads of video or computer
games, game reviews, tips, cheats, or related publications and
media. Includes sites that provide instructions for
nonelectronic games, facilitate the sale or trade of board
games, or support or host online sweepstakes and giveaways. |
Government | Official websites for local, state, and national governments, as
well as related agencies, services, or laws. Excludes sites for public libraries and military institutions,
which fall under the Reference and Research and Military
categories, respectively. |
Grayware | Sites with content that don't pose a direct security threat but
that display other intrusive behavior and tempt end users to
grant remote access or perform other unauthorized actions. Grayware includes the following:
|
Hacking | Sites related to the illegal or questionable access to or use of
communications equipment or software, including the development
and distribution of such programs, how-to-advice, or tips that
may result in the compromise of networks and systems. Includes
sites that facilitate the bypass of licensing and digital rights
systems. |
Health and Medicine | Sites containing information regarding general health, issues,
and traditional and nontraditional tips, remedies, and
treatments. Includes sites for the following:
|
Home and Garden | Sites with information, products, and services related to home
repair and maintenance, architecture, design, construction,
decor, and gardening. Includes cleaning services and office
furniture. |
Hunting and Fishing | Sites that provide hunting and fishing tips or instructions or
facilitate the sale of related equipment and paraphernalia. Excludes websites that primarily sell firearms (even if they are
used for hunting); these websites fall under the Weapons
category. |
Insufficient Content | Sites and services that present test pages, have no content,
provide API access not intended for end-user display, or require
authentication without displaying any other content suggesting a
different categorization. Excludes websites providing remote access, such as web-based VPN
solutions, web-based email services, or identified credential
phishing pages. |
Internet Communications and Telephony | Sites that support or provide services for video chatting,
instant messaging, or other telephony capabilities. |
Internet Portals | Sites that serve as a starting point for users, usually by
aggregating a broad set of content and topics. |
Job Search | Sites that provide job listings, employer reviews, interview
advice and tips, or related services for both employers and
prospective candidates. |
Legal | Sites that provide information, analysis, or advice regarding the
law, legal services, legal firms, or other legal-related
issues. |
Malware | Sites containing or known to host malicious content, executables,
scripts, viruses, trojans, and code. |
Military | Sites with information or commentary on military branches,
recruitment, current or past operations, or any related
paraphernalia. Includes sites for military and veteran
associations. |
Motor Vehicles | Sites with information relating to reviews, sales, trading,
modification, parts, and other related discussions of
automobiles, motorcycles, boats, trucks, and recreational
vehicles (RVs). |
Music | Sites related to music sales, distribution, or information.
Includes websites for music artists, groups, labels, events,
lyrics, and other information regarding the music business. Excludes music streaming sites, which fall under the Streaming
Media category. |
Newly Registered Domains | Sites that have been registered within the last 32 days. Newly
registered domains are often generated purposely or by domain
generation algorithms and can be used for malicious
activity. |
News | Online publications, newswire services, and other websites that
aggregate current events, weather, or other contemporary issues.
Includes the following:
If the magazine or news website focuses
on a specific topic like sports, travel, fashion, it gets
categorized based on the dominant content on the site. |
Not-Resolved | This category indicates that the website wasn't found in the
local URL filtering database and the firewall was unable to
connect to the cloud database to check the category. |
Nudity | Sites that contain nude or seminude depictions of the human body,
regardless of context or intent, such as artwork. Includes
nudist or naturist sites containing images of participants. |
Online Storage and Backup | Sites that provide online storage of files for free or as a
service. Includes photo-sharing sites. |
Parked | URLs that host limited content or click-through ads, which may
generate revenue for the host entity but generally don't contain
content that is useful to end users. Includes domains that are
for sale. Excludes parked sites with adult content, which fall under the
Adult category. |
Peer-to-peer | Sites that provide access to or clients for peer-to-peer sharing
of torrents, download programs, media files, or other software
applications. Primarily applicable to those sites with
BitTorrent download capabilities. Excludes shareware or freeware sites. |
Personal Sites and Blogs | Personal websites and blogs by individuals or groups. Sites in this category are primarily
categorized based on content. For example, a blog about cars
should be categorized under Motor Vehicles. However, if the site
is a pure blog, then it should remain under Personal Sites and
Blogs. |
Philosophy and Political Advocacy | Sites containing information, viewpoints, or campaigns regarding
philosophical or political views. Includes online ballots. |
Phishing | Web content that covertly attempts to harvest information, such
as login credentials, credit card information, account numbers,
PINs, and other personally identifiable information (PII),
voluntarily or involuntarily, from victims using social
engineering techniques. Includes technical support scams and
scareware. |
Private IP Addresses | Includes IP addresses defined in RFC 1918, 'Address Allocation
for Private Intranets,' which are as follows:
Includes domains not registered with the public DNS system (such
as *.local and *.onion). |
Proxy Avoidance and Anonymizers | Proxy servers and other methods that bypass URL filtering or
monitoring. Includes VPNs used to avoid proxies and act as an
anonymizer. Excludes VPNs with corporate-level usage, which fall under the
Internet Communication and Telephony category. |
Questionable | Sites containing tasteless humor or offensive content targeting
specific demographics of individuals or groups of people. |
Ransomware | Sites known to host ransomware or malicious traffic
involved in conducting ransomware campaigns that generally threaten
to publish private data or keep access to specific data or systems
blocked, usually by encrypting it, until the demanded ransom is
paid. Includes URLs that deliver related stealers, wipers, and
loaders that may carry ransomware payloads. |
Real Estate | Sites that provide information on property rentals, sales, and
related tips or information, including sites for the
following:
Excludes sites for mortgage and loan servicers, which fall under
the Financial Services category. |
Real-Time Detection ( Advanced URL Filtering only ) | URLs that have been analyzed and detected by real-time inline
analysis as part of Advanced URL Filtering. |
Recreation and Hobbies | Sites that consist of information, forums, associations, groups,
or publications related to recreational activities and
hobbies. Excludes sites that sell products related to recreational
activities or hobbies, such as REI.com, which fall under the
Shopping category. |
Reference and Research | Sites that provide personal, professional, or academic reference
portals, materials, or services, including online dictionaries,
maps, almanacs, census information, libraries, genealogy, and
scientific information. Includes sites for or related to the
following:
|
Religion | Sites with information regarding various religions, related
activities, or events. Includes sites for religious
organizations, religious officials, places of worship,
fortune-telling, astrology, horoscopes, and religious
paraphernalia. Excludes private primary or secondary schools affiliated with a
religious organization, such as Catholic schools, with a
curriculum that teaches general religious education and secular
subjects. These school websites fall under the Educational
Institutions category. |
Scanning Activity ( Advanced URL Filtering
only ) | Campaigns that are conducted by adversaries that can
be indicators of compromise, or attempts at conducting targeted
attacks or probing for existing vulnerabilities. These are usually
part of reconnaissance activity conducted by adversaries. |
Search Engines | Sites that provide a search interface using keywords, phrases, or
other parameters that may return information, websites, images,
or other files as results. |
Sex Education | Sites that provide information on reproduction, sexual
development, safe sex practices, sexually transmitted diseases,
birth control, tips for better sex, and any related products or
paraphernalia. Includes sites for related groups, forums, or
organizations. |
Shareware and Freeware | Sites that provide access to software, screensavers, icons,
wallpapers, utilities, ringtones, themes, or widgets for free or
donations. Includes open source projects. |
Shopping | Sites that facilitate the purchase of goods and services.
Includes online merchants, sites for department stores, retail
stores, catalogs, and price aggregation or monitoring tools. Sites under this category should be an
online merchant that sells a variety of items (or whose main
purpose is online sales). A webpage for a cosmetics company that
happens to allow online purchasing is categorized as Cosmetics
not Shopping. |
Social Networking | User communities or sites where users interact with each other,
post messages, pictures, and otherwise communicate with groups
of people. Excludes personal sites, blogs, or forums, which fall under the
Personal Sites and Blogs category. |
Society | Sites with content related to the general population or issues
that impact a large variety of people, such as fashion, beauty,
philanthropic groups, societies, or children. Includes
restaurant websites. Excludes corporate websites related to food, such as Burger King,
which fall under the Business and Economy category. |
Sports | Sites about sporting events, athletes, coaches, officials, teams
or organizations, scores, schedules, related news, or sports
paraphernalia. Includes websites for fantasy sports and virtual
sports leagues. Excludes sites with the main purpose of selling sports goods,
which fall under the Shopping category. |
Stock Advice and Tools | Sites with information about the stock market, trading of stocks
or options, portfolio management, investment strategies, quotes,
or related news. |
Streaming Media | Sites that stream audio or video content for free or purchase,
including sites for online radio stations, streaming music
services, and the archiving of podcasts. |
Swimsuits and Intimate Apparel | Sites that include information or images concerning swimsuits,
intimate apparel, or other suggestive clothing. |
Training and Tools | Sites that provide online education, training, and related
materials. Includes driving or traffic schools, workplace
training, games, applications, tools with educational purposes,
and tutoring academies. Specific skills classes are categorized
based on the subject. For example, websites for music classes
fall under the Music category. |
Translation | Sites that provide translation services, including both user
input and URL translations. These sites can also allow users to
circumvent filtering as the target page's content is presented
within the context of the translator's URL. |
Travel | Sites that provide information about travel, such as tips, deals,
pricing, destination information, tourism, and related services,
such as booking or price monitoring tools. Includes websites for
the following:
|
Unknown | Sites that have not yet been identified by Palo Alto
Networks. If availability of this site
is critical to your business and you must allow the traffic,
alert on unknown sites, apply the best practice Security
profiles to the traffic, and investigate the alerts. PAN-DB Real-Time Updates learn unknown sites after a first
attempt to access these sites, so unknown URLs are
identified quickly and become known URLs that the firewall
can then handle based on the actual URL category. |
Weapons | Sites that handle sales or offer reviews, descriptions of, or
instructions regarding weapons, armor, and bulletproof vests,
and their use. Sites related to clay
shooting, shooting ranges, and archery receive the primary
category of Weapons and a secondary category of Sports. |
Web Advertisement | Sites with advertisements, media, content, and banners. Includes
pages for subscribing and unsubscribing from newsletters or
ads. |
Web-based Email | Any website that provides access to an email inbox and the
ability to send and receive emails. Excludes company webmail services, which should be categorized as
the company's category. |
Web Hosting | Sites that offer free or paid hosting services for web pages.
Includes sites with information about web development,
publishing, promotions, and other methods to increase
traffic. |
Security-Focused URL Categories
PAN-DB automatically evaluates and assigns a risk category
(
high-risk
,
medium-risk
, and
low-risk
) to URLs that it either has not
classified as malicious or no longer
classifies as malicious because they
have displayed only benign activity for at least 30 days. Each risk category has
specific criteria that must be met for a URL to receive a given category. As site
content changes, the risk category and policy enforcement dynamically adapt. If PAN-DB determines that a URL belongs to a malicious URL category, it does not assign the site a
risk category. Instead, the firewall automatically blocks the site because it
poses an unacceptable risk for most environments.
Private IP addresses (and hosts) are unique to the host environment and are
invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk
rating to sites in this category.
Security-focused URL categories facilitate targeted decryption and policy
enforcement, helping reduce your attack surface. For example, you can block users
from accessing high- and medium-risk websites and newly registered domains or
decrypt traffic to these categories if you choose to allow them.
The following table lists descriptions and default and recommended policy actions for
each risk category.
You cannot submit a change request for security-focused URL categories.
URL Category | Description |
|---|---|
High Risk |
Default and Recommended Policy Action: Alert |
Medium Risk |
Default and Recommended Policy Action: Alert |
Low Risk | Sites that are not medium or high risk. These sites have
displayed benign activity for a minimum of 90 days. Default and Recommended Policy Action: Allow |
Newly Registered Domains | Identifies sites that have been registered within the last 32
days. New domains are frequently used as tools in malicious
campaigns. Newly registered domains are often generated purposefully or
by domain generation algorithms and used for malicious
activity. It’s a best practice to block this URL
category. Default Policy Action: Alert Recommended Policy Action: Block |
Malicious URL Categories
We strongly recommend that you block the following URL categories, which identify malicious or
exploitative content and behavior.
- command-and-control
- copyright-infringement
- dynamic-dns
- extremism
- grayware
- malware
- newly-registered-domain
- parked
- phishing
- proxy-avoidance-and-anonymizers
- questionable
- ransomware
- scanning-activity
- unknown
For categories that you alert on, instead of block, you can strictly control how users interact
with site content. For example, give users access to the resources they need (like
developer blogs for research purposes or cloud storage services), but take the
following precautions to reduce exposure to web-based threats:
- Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and obfuscated JavaScript for sites that you're alerting on.
- Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
- Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
The following table lists categories that PAN-DB considers malicious
and
blocks by default, with the exception of Private IP
Addresses
. Private IP addresses (and hosts) are unique to the
host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does
not assign a risk rating to sites in this category.Category | Default Action |
|---|---|
Command and Control | Block |
Grayware | |
Malware | |
Phishing | |
Ransomware | |
Scanning Activity | |
Private IP Addresses | Allowed (no default action) |