Discover ways you can use URL filtering to reduce your
attack surface and ensure safe web access.
Where can I use
What do I need?
Advanced URL Filtering license (or a legacy URL filtering
Legacy URL filtering licenses are discontinued, but
active legacy licenses are still supported.
Prisma Access licenses usually include Advanced URL
There are many ways to enforce web page access beyond only blocking
and allowing certain sites. For example, you can use multiple categories
per URL to allow users to access a site, but block particular functions
like submitting corporate credentials or downloading files. You
can also use URL categories to enforce different types of policy, such
as Authentication, Decryption, QoS, and Security.
Read on for more about the different ways that you can deploy
Control web access based on URL category
You can create a URL Filtering profile
that specifies an action for a URL category and attach the profile to a Security
policy rule. The firewall enforces policy against traffic based on the settings in
the profile. For example, to block all gaming websites you would configure the block
action for the games category in a URL Filtering profile. After, you’d
attach the profile to the Security policy rule(s) that allow web access.
Multi-Category URL Filtering
can have up to four categories, including a risk category that
indicates the likelihood a site will expose you to threats. More
granular URL categorizations lets you move beyond a basic “block-or-allow”
approach to web access. Instead, you can control how your users
online content that, while necessary for business, is more likely
to be used as part of a cyberattack.
For instance, you might
consider certain URL categories risky to your organization, but
are hesitant to block them outright as they also provide valuable
resources or services (like cloud storage services or blogs). Now,
you can allow users to visit sites that fall into these types of
categories while decrypting and inspecting traffic and enforcing
read-only access to the content.
You can also define a custom
URL category by selecting
specifying two or more PAN-DB categories of which the new category
will consist. Creating a custom category from multiple categories
allows you to target enforcement for a website or page that matches
all of the categories specified in the custom URL category object.
Block or allow corporate credential submissions
based on URL category
phishing by enabling the firewall to detect corporate credential
submissions to sites, and then control those submissions based on
URL category. Block users from submitting credentials to malicious
and untrusted sites, warn users against entering corporate credentials
on unknown sites or reusing corporate credentials on non-corporate
sites, and explicitly allow users to submit credentials to corporate
and sanctioned sites.
Enforce Safe Search Settings
engines have a safe search setting that filters out adult images
and videos from search results. You can enable the firewall to block
search results or transparently enable safe search for end users
that are not using the strictest safe search settings. The firewall
supports safe search enforcement for the following search providers:
Google, Yahoo, Bing, Yandex, and YouTube. See how to get started
with Safe Search Enforcement.
Block high-risk file downloads from certain URL
You can block high-risk file downloads from specific URL categories by creating a Security policy
rule with a File Blocking profile attached.
Enforce Security, Decryption, Authentication, and
QoS policies based on URL category
You can enforce different
types of firewall policies based on URL categories. For example,
suppose you have enabled decryption, but want to
exclude certain personal information from being decrypted. In this
case you could create a Decryption policy rule that excludes websites
that match the URL categories financial-services and health-and-medicine from
decryption. Another example would be to use the URL category streaming-media in
a QoS policy to apply bandwidth controls to websites that fall in
to this category.
The following table describes the policies
that accept URL categories as match criteria:
You can also use URL categories to phase-in decryption,
and to exclude URL categories that might contain sensitive or personal
information from decryption (like financial-services and health-and-medicine).
to decrypt the riskiest traffic first (URL categories most likely
to harbor malicious traffic, such as gaming or high-risk) and then
decrypt more as you gain experience. Alternatively, decrypt the
URL categories that don’t affect your business first (if something
goes wrong, it won’t affect business), for example, news feeds.
In both cases, decrypt a few URL categories, listen to user feedback,
run reports to ensure that decryption is working as expected, and
then gradually decrypt a few more URL categories, and so on. Plan
to make decryption exclusions to
exclude sites from decryption if you can’t decrypt them for technical reasons
or because you choose not to decrypt them.
traffic based on URL categories is a best practice for both URL
Filtering and Decryption.
Use URL categories to allocate throughput
levels for specific website categories. For example, you may want to
allow the streaming-media category, but limit throughput
by adding the URL category to a QoS policy rule.
To assign a particular action to a custom or
predefined URL category. For example, you can
create a Security policy rule that allows access
to sites in the personal sites and
Use a URL Filtering profile in the following
To record traffic to URL categories in URL
To specify more granular actions, such as
alert, on traffic for a specific category
To configure a response page that displays when users
access a blocked or blocked-continue website.
In a URL Filtering profile, the actions specified for each
URL category only apply to traffic destined for the
categories specified in the Security policy rule. You can
also apply a particular profile to multiple rules.
If for example, the IT-security group in your company needs
access to the hacking category, but all other users
are denied access to the category, you must create the following
A Security policy rule that allows the IT-Security group
to access content categorized as hacking.
The Security policy rule references the
hacking category in the
IT-Security group in the
Another Security policy rule that allows general web
access for all users. To this rule you attach a URL
Filtering profile that blocks the hacking
You must list the policy that allows access to
hacking before the policy that blocks
hacking. This is because the firewall evaluates
Security policy rules from the top down, so when a user who is
part of the security group attempts to access a
hacking site, the firewall evaluates the policy
rule that allows access first and grants the user access. The
firewall evaluates users from all other groups against the
general web access rule that blocks access to the