Palo Alto Networks URL filtering solution enables you
to block and allow access to websites based on URL category and
information such as user and group.
Where can I use
What do I need?
Advanced URL Filtering license (or a legacy URL filtering
Legacy URL filtering licenses are discontinued, but
active legacy licenses are still supported.
Prisma Access licenses usually include Advanced URL
Advanced URL Filtering (preceded by URL Filtering) is a subscription
service that protects your network and its users against malicious
and evasive web-based threats—both known and unknown. The subscription
provides the same functionality as URL Filtering—granular URL filtering
control, visibility into user web activity, safe search enforcement,
and credential phishing prevention—with the addition of full web
content inspection using an inline machine learning-based web security
engine. The inline web security engine enables real-time analysis
and categorization of URLs that are not present in PAN-DB, Palo
Alto Networks cloud-based URL database. Then, the engine determines
the action the firewall takes.
Advanced URL Filtering protects against malicious URLs that are
updated or introduced before PAN-DB has analyzed and added them
to the database. With Advanced URL Filtering enabled, URL requests
Analyzed in real-time using the cloud-based Advanced
URL Filtering detection modules. This is in addition to URLs being
compared to entries in PAN-DB. The ML-powered web protection engine
detects and blocks the malicious websites that PAN-DB cannot.
a firewall-based analysis solution, which can block unknown malicious
web pages in real-time.
Advanced URL Filtering licenses are supported on firewalls running
PAN-OS 9.1 and later. You can manage URL filtering features on the
PAN-OS and Panorama web interface, Cloud NGFW for AWS, and Prisma
Access platforms. However, some URL filtering features are not available
on each platform.
If network security requirements in your enterprise prohibit
the firewalls from directly accessing the Internet, Palo Alto Networks
provides an offline URL filtering solution with the PAN-DB private
cloud. You can deploy a PAN-DB private cloud on one or more
M-600 appliances that function as PAN-DB servers within your network;
however, the private cloud does not support any of the cloud-based
URL analysis features provided by the Advanced URL Filtering solution.
Legacy URL Filtering Subscription
Filtering relies on predefined and custom URL categories
in PAN-DB to enforce policy. It uses only PAN-DB to identify and
filter known websites. Known websites are websites that are in your
local cache or in PAN-DB. Thus, attackers are better able to launch
precision attack campaigns through URLs not present in the database.
URL Filtering subscription holders are able to continue using their
URL filtering deployment until the end of the license term.