Transition URL Filtering Profiles Safely to Best Practices

The pre-defined URL categories are very accurate, so it’s safe to implement URL Filtering profiles with category actions configured according to your company policy for allowing or denying access to different types of sites.
Block known-bad URL categories from the start, including malware, command-and-control, copyright-infringement, extremism, phishing, and proxy-avoidance-and-anonymizers.
For the URL categories dynamic-dns (these sites are often used to deliver malware payloads or command-and-control traffic), unknown (sites PAN-DB has not yet identified), parked (often used for credential phishing), grayware (malicious or questionable), and newly-registered-domain (often used for malicious activity), it’s best to alert initially so you can monitor the URL Filtering logs (
Monitor
Logs
URL Filtering
) in case legitimate websites trigger alerts before you move to the best practice of blocking these categories.
Configure the security-focused high-risk and medium-risk based URL categories to alert (this is the default action). Monitor the URL Filtering logs to see if you want to allow access to the sites these categories control, if you want to block these categories completely, or if you want to allow access to some sites and block the rest.