Transition URL Filtering Profiles Safely to Best Practices

The predefined URL categories are accurate, so it’s safe to implement URL Filtering profiles with category actions configured according to your company policy for allowing or denying access to different types of websites.
Block
Site Access
and
User Credential Submission
from the start for known-bad URL categories, including: malware, command-and-control, copyright-infringement, extremism, phishing, ransomware, dynamic-dns, hacking (but make exceptions for internal PEN testers), and proxy-avoidance-and-anonymizers.
For the URL categories unknown (sites PAN-DB has not yet identified), parked (often used for credential phishing), grayware (malicious or questionable), and newly-registered-domain (often used for malicious activity), alert initially so you can monitor the URL Filtering logs (
Monitor
Logs
URL Filtering
) in case legitimate websites trigger alerts before you move to the best practice of blocking these categories.
Set all other URL categories to
alert
to generate logs for the traffic. The firewall doesn't log traffic when access is set to
allow
. Monitor the URL Filtering logs to see if you want to block any other categories.
You can combine the high-risk, medium-risk, and low-risk categories with other categories to determine what traffic to allow, block, and decrypt. For example, you could block access to all websites that are both high-risk and financial-services. Or if your firewall needs to conserve resources, you could decrypt all high-risk and medium-risk traffic for some categories and not decrypt low-risk traffic for those categories.