Focus

Cloud NGFW for Azure

Cloud NGFW for Azure Security Services

Table of Contents

Cloud NGFW for Azure Security Services

Cloud NGFW uses your rulestack definitions to protect your Azure Virtual Network (VNet) traffic by a two-step process. First, it enforces your rules to allow or deny your traffic. Second, it performs content inspection on the allowed traffic (URLs, threats, files) based on what you specify on the Security Profiles. Additionally, it helps you define how Cloud NGFW should scan the allowed traffic and blocks threats such as viruses, malware, spyware, and DDOS attacks.

IPS and Spyware Threat Protection

IPS Vulnerability—(enabled by default and preconfigured based on best practices) an Intrusion Prevention System (IPS) vulnerability profile stops attempts to exploit system flaws or gain unauthorized access to systems. While Anti-Spyware profiles help identify infected hosts as traffic leaves the network, IPS Vulnerability profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats.

Best Practice Configuration

The following Vulnerability best practice configuration is enabled by default on Cloud NGFW for Azure.

Signature Severity	Action
Critical	Reset both
High	Reset both
Medium	Reset both
Informational	Default
Low	Default

Anti-Spyware—(enabled by default and preconfigured based on best practices) an anti-spyware profile blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients.

Best Practice Configuration

The following Anti-Spyware best practice configuration is enabled by default on Cloud NGFW for Azure.

Signature Severity	Action
Critical	Reset both
High	Reset both
Medium	Reset both
Informational	Default
Low	Default

IPS Vulnerability and Anti-Spyware Signatures

The following table lists all possible signatures for Vulnerability and Spyware categories. These signatures are continuously updated on your NGFWs.

Threat Category	Description
Vulnerability Signatures
brute force	A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server.
code execution	Detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user.
code-obfuscation	Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it’s not apparent what commands the code is executing or with which programs its designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate code to protect privacy, intellectual property, or to improve user experience. For example, certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.
dos	Detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.
exploit-kit	Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs. When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a malicious payload to the victim’s computer.
info-leak	Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-leaks by sending crafted requests.
insecure-credentials	Detects the use of weak, compromised, and manufacturer default passwords for software, network appliances, and IoT devices.
overflow	Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server or operating system.
phishing	Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
protocol-anomaly	Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be considered protocol anomalies, and could be used as evasion tools.
sql-injection	Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, in order to read from or modify a database. This type of technique is often used on websites that do not comprehensively sanitize user input.
Spyware Signatures
spyware	Detect outbound C2 communication. These signatures are either auto-generated or are manually created by Palo Alto Networks researchers. Spyware and autogen signatures both detect outbound C2 communication; however, autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.
adware	Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites. Adware can also retrieve updates from a command-and-control (C2) server and install those updates in a browser or onto a client system.
autogen	These payload-based signatures detect command-and-control (C2) traffic and are automatically-generated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.
backdoor	Detects a program that allows an attacker to gain unauthorized remote access to a system.
botnet	Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like launching a DoS attack, for example).
browser-hijack	Detects a plugin or software that is modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server.
cryptominer	(Sometimes known as cryptojacking or miners) Detects the download attempt or network traffic generated from malicious programs designed to use computing resources to mine cryptocurrencies without the user's knowledge. Cryptominer binaries are frequently delivered by a shell script downloader that attempts to determine system architecture and kill other miner processes on the system. Some miners execute within other processes, such as a web browser rendering a malicious web page.
data-theft	Detects a system sending information to a known C2 server.
dns	Detects DNS requests to connect to malicious domains.
downloader	(Also known as droppers, stagers, or loaders) Detects programs that use an internet connection to connect to a remote server to download and execute malware on the compromised system. The most common use case is for a downloader to be deployed as the culmination of stage one of a cyber attack, where the downloader’s fetched payload execution is considered second stage. Shell scripts (Bash, PowerShell, etc.), trojans, and malicious lure documents (also known as maldocs) such as PDFs and Word files are common downloader types.
fraud	(Including form-jacking, phishing, and scams) Detects access to compromised websites that have been determined to be injected with malicious JavaScript code to collect sensitive user information. (for example, Name, address, email, credit card number, CVV, expiration date) from payment forms that are captured on the checkout pages of e-commerce websites.
hacktool	Detects traffic generated by software tools that are used by malicious actors to conduct reconnaissance, attack or gain access to vulnerable systems, exfiltrate data, or create a command and control channel to surreptitiously control a computer system without authorization. These programs are strongly associated with malware and cyber attacks. Hacking tools might be deployed in a benign manner when used in Red and Blue Team operations, penetration tests, and R&D. The use or possession of these tools may be illegal in some countries, regardless of intent.
networm	Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.
phishing-kit	Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
post-exploitation	Detects activity that indicates the post-exploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the system’s usefulness in further compromising the network.
webshell	Detects web shells and web shell traffic, including implant detection and command and control interaction. Web shells must first be implanted by a malicious actor onto the compromised host, most often targeting a web server or framework. Subsequent communication with the web shell file frequently enables a malicious actor to establish a foothold in the system, conduct service and network enumeration, data exfiltration, and remote code execution in the context of the web server user. The most common web shell types are PHP, .NET, and Perl markup scripts. Attackers can also use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to target other internal systems.
keylogger	Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots. Keyloggers use various C2 methods to periodically sends logs and reports to a predefined e-mail address or a C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.

Malware and File-based Threat Protection

Antivirus—(enabled by default and preconfigured based on best practices) antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads. Using a stream-based malware prevention engine, which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients without significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript viruses, including support for scanning inside compressed files and data encoding schemes.

Best Practice Configuration

The following Antivirus best practice configuration is enabled by default on Cloud NGFW for Azure.

Protocol	Action
FTP	Reset both
HTTP	Reset both
HTTP2	Reset both
IMAP	Reset both
POP3	Alert
SMB	Reset both
SMTP	Reset both

File Blocking—(enabled by default and preconfigured based on best practices) file blocking profiles allows you to identify specific file types that you want to block or monitor. The firewall uses file blocking profiles to block specific file types over specified applications and in the specified session flow direction (inbound/outbound/both). You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile.
- Alert—when the specified file type is detected, a log is generated in the data filtering log.
- Block—when the specified file type is detected, the file is blocked. A log is also generated in the data filtering log.

Best Practice Configuration

The following File Blocking best practice configuration is enabled by default on Cloud NGFW for Azure.

File Types	Application	Direction	Action
All risky file types: 7z bat cab chm class cpl dll exe flash hip hta msi Multi-Level-Encoding ocx PE pif rar scr tar torrent vbe wsf encrypted-rar encrypted-zip	Any	Both (upload and download)	Block
All remaining file types	Any	Both (upload and download)	Alert

Antivirus Signatures

The following table lists all possible signatures for Antivirus category. These signatures are continuously updated on your NGFWs.

Threat Category	Description
Antivirus Signatures
apk	Malicious Android Application (APK) files.
MacOSX	Malicious MacOSX files, including: Apple disk image (DMG) files. Mach object files (Mach-O) are executables, libraries, and object code. Apple software installer packages (PKGs)
flash	Adobe Flash applets and Flash content embedded in web pages.
jar	Java applets (JAR/class file types).
ms-office	Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX). This also includes Office Open XML (OOXML) 2007+ documents.
pdf	Portable Document Format (PDF) files.
pe	Portable executable (PE) files can automatically execute on a Microsoft Windows system and should be only allowed when authorized. These files types include: Object code. Fonts (FONs). System files (SYS). Driver files (DRV). Windows control panel items (CPLs). DLLs (dynamic-link libraries). OCXs (libraries for OLE custom controls, or ActiveX controls). Windows screensaver files (SCRs). Extensible Firmware Interface (EFI) files, which run between an OS and firmware in order to facilitate device updates and boot operations. Program information files (PIFs).
linux	Executable and Linkable Format (ELF) files.
archive	Roshal Archive (RAR) and 7-Zip (7z) archive files.

Web-based Threat Protection

URL Categories and Filtering—(enabled by default and preconfigured based on best practices) URL Filtering profiles enable you to monitor and control how users access the web over HTTP and HTTPS. The firewall comes with a default profile that is configured to block websites such as known malware sites, phishing sites, and adult content sites. URL filtering Profile is not enabled by default. When you enable URL Filtering profile in your rulestack, Cloud NGFW enforces the best-practices URL Filtering profile on your traffic. You have an option to modify the default access option on each of the categories, based on your needs.

Best Practices Configuration

By default, URL Filtering is enabled and uses security policy based on best practices.

URL Categories	Site Access	Credential Submissions
Malicious and exploitative categories: adult command-and-control copyright-infringement dynamic-dns extremism malware parked phishing proxy-avoidance-and-anonymizers unknown	Block	Block
All other URL categories	Alert	Alert

Predefined URL Categories for Cloud NGFW for Azure

The following table describes the pre-defined URL categories available on Cloud NGFW on Azure. You can use these categories in security rules to block or allows access to websites that fall into them.

URL Category	Description
Risk Categories
High Risk	Sites that were previously confirmed to be malicious but have displayed benign activity for at least 30 days. Sites hosted on bulletproof ISPs or using an IP from an ASN that has known malicious content. Sites sharing a domain with a known malicious site. All sites in the “Unknown” category will be high risk.
Medium Risk	Sites confirmed to be malicious but have displayed benign activity for at least 60 days. All sites in the “Online Storage and Backup” category will be a medium risk by default.
Low Risk	Any site that is not High Risk or Medium Risk. This includes sites that were previously confirmed as malicious but have displayed benign activity for at least 90 days.
Threat Categories
Command and Control	Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
Malware	Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
Threat Adjacent Categories
Dynamic DNS	Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
Grayware	Web content that does not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware includes illegal activities, criminal activities, rogueware, adware, and other unwanted or unsolicited applications, such as embedded crypto miners, clickjacking or hijackers that change the elements of the browser. Typosquatting domains that do not exhibit maliciousness and are not owned by the targeted domain will be categorized as grayware.
Hacking	Sites relating to the illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs, how-to-advice and/or tips that may result in the compromise of networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.
Phishing	Web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware is also included as phishing.
Suspicious
Insufficient Content	Websites and services that present test pages, no content, provide API access not intended for end-user display or require authentication without displaying any other content suggesting a different categorization. Should not include websites providing remote access, such as web based VPN solutions, web based email services or identified credential phishing pages.
Newly Register Domain	Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
Parked	Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
Proxy Avoidance and Anonymizers	URLs and services often used to bypass content filtering products.
Unknown	Sites that have not yet been identified by Palo Alto Networks. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
Legal/Policy
Abortion	Sites that pertain to information or groups in favor of or against abortion, details regarding abortion procedures, help or support forums for or against abortion, or sites that provide information regarding the consequences/effects of pursuing (or not) an abortion.
Abused Drugs	Sites that promote the abuse of both legal and illegal drugs, use and sale of drug related paraphernalia, manufacturing and/or selling of drugs.
Adult	Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort services, strip clubs, etc. Anything containing adult content (even if it's games or comics) will be categorized as adult.
Alcohol and Tobacco	Sites that pertain to the sale, manufacturing, or use of alcohol and/or tobacco products and related paraphernalia. Includes sites related to electronic cigarettes.
Auctions	Sites that promote the sale of goods between individuals.
Business and Economy	Marketing, management, economics, and sites relating to entrepreneurship or running a business. Includes advertising and marketing firms. Should not include corporate websites as they should be categorized with their technology. Also shipping sites, such as fedex.com and ups.com.
Computer and Internet Info	General information regarding computers and the internet. Should include sites about computer science, engineering, hardware, software, security, programming, etc. Programming may have some overlap with reference, but the main category should remain computer and internet info.
Content Delivery Networks	Sites whose primary focus is delivering content to 3rd parties such as advertisements, media, files, etc.Also includes image servers.
Copyright Infringement	Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
Cryptocurrency	Websites that promote cryptocurrencies, crypto mining websites (but not embedded crypto miners), cryptocurrency exchanges and vendors, and websites that manage cryptocurrency wallets and ledgers. This category does not include traditional financial services websites that reference cryptocurrencies, websites that explain and describe how cryptocurrencies and blockchains work, or websites that contain embedded cryptocurrency miners (grayware).
Dating	Websites offering online dating services, advice, and other personal ads.
Educational Institutions	Official websites for schools, colleges, universities, school districts, online classes, and other academic institutions. These refer to larger, established educational institutions such as elementary schools, high schools, universities, etc. Tutoring academies can go here as well.
Entertainment and Arts	Sites for movies, television, radio, videos, programming guides/tools, comics, performing arts, museums, art galleries, or libraries. Includes sites for entertainment, celebrity and industry news.
Extremism	Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
Financial Services	Websites pertaining to personal financial information or advice, such as online banking, loans, mortgages, debt management, credit card companies, and insurance companies. Does not include sites relating to stock markets, brokerages or trading services. Includes sites for foreign currency exchange. Includes sites for foreign currency exchange.
Gambling	Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials or advice regarding gambling, including betting odds and pools. Corporate websites for hotels and casinos that do not enable gambling are categorized under Travel.
Games	Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/media. Includes sites that support or host online sweepstakes and/or giveaways.
Government	Official websites for local, state, and national governments, as well as related agencies, services, or laws.
Health and Medicine	Sites containing information regarding general health information, issues, and traditional and non-traditional tips, remedies, and treatments. Also includes sites for various medical specialties, practices and facilities (such as gyms and fitness clubs) as well as professionals. Sites relating to medical insurance and cosmetic surgery are also included.
Home and Garden	Information, products, and services regarding home repair and maintenance, architecture, design, construction, decor, and gardening.
Hunting and Fishing	Hunting and fishing tips, instructions, sale of related equipment and paraphernalia.
Internet Communications and Telephony	Sites that support or provide services for video chatting, instant messaging, or telephony capabilities.
Internet Portals	Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.
Job Search	Sites that provide job listings and employer reviews, interview advice and tips, or related services for both employers and prospective candidates.
Legal	Information, analysis or advice regarding the law, legal services, legal firms, or other legal related issues
Military	Information or commentary regarding military branches, recruitment, current or past operations, or any related paraphernalia.
Motor Vehicles	Information relating to reviews, sales and trading, modifications, parts, and other related discussions for automobiles, motorcycles, boats, trucks and RVs.
Music	Music sales, distribution, or information. Includes websites for music artists, groups, labels, events, lyrics, and other information regarding the music business. Does not include streaming music.
News	Online publications, newswire services, and other websites that aggregate current events, weather, or other contemporary issues. Includes newspapers, radio stations, magazines, and podcasts.
Not-Resolved	Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL, if no match is found, it will then check the management plane cache, and if no match is found there, it queries the URL database in the cloud. When deciding on what action to take for traffic that is categorized as not-resolved, be aware that setting the action to block may be very disruptive to users.
Nudity	Sites that contain nude or semi-nude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
Online Storage and Backup	Websites that provide online storage of files for free and as a service.
Peer-to-Peer	Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications. This is primarily for those sites that provide bittorrent download capabilities. Does not include shareware or freeware sites.
Personal Sites and Blogs	Personal websites and blogs by individuals or groups. Should try to first categorize based on content. For example, if someone has a blog just about cars, then the site should be categorized under "motor vehicles". However, if the site is a pure blog, then it should remain under "personal sites and blogs".
Philosophy and Political Advocacy	Sites containing information, viewpoints or campaigns regarding philosophical or political views.
Private IP Addresses	This category includes IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets? It also includes domains not registered with the public DNS system (.local and .onion).
Questionable	Websites containing tasteless humor, offensive content targeting specific demographics of individuals or groups of people.
Real Estate	Information on property rentals, sales and related tips or information. Includes sites for real estate agents, firms, rental services, listings (and aggregates), and property improvement.
Recreation and Hobbies	Information, forums, associations, groups, and publications on recreations and hobbies.
Reference and Research	Personal, professional, or academic reference portals, materials, or services. Includes online dictionaries, maps, almanacs, census information, libraries, genealogy and scientific information.
Religion	Information regarding various religions, related activities or events. Includes websites for religious organizations, officials and places of worship. Includes sites for fortune telling.
Search Engines	Sites that provide a search interface using keywords, phrases, or other parameters that may return information, websites, images or files as results.
Sex Education	Information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, birth control, tips for better sex, as well as any related products or related paraphernalia. Includes websites for related groups, forums or organizations.
Shareware and Freeware	Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes or widgets for free and/or donations. Also includes open source projects.
Shopping	Sites that facilitate the purchase of goods and services. Includes online merchants, websites for department stores, retail stores, catalogs, as well as sites that aggregate and monitor prices. Sites listed here should be online merchants that sell a variety of items (or whose main purpose is online sales). A webpage for a cosmetics company that also happens to allow online purchasing should be categorized with cosmetics and not shopping.
Social Networking	User communities and sites where users interact with each other, post messages, pictures, or otherwise communicate with groups of people. Does not include blogs or personal sites.
Society	Topics relating to the general population, issues that impact a large variety of people, such as fashion, beauty, philanthropic groups, societies, or children. Also includes restaurant websites.Includes websites designed for children as well as restaurants.
Sports	Information about sporting events, athletes, coaches, officials, teams or organizations, sports scores, schedules and related news, and any related paraphernalia. Includes websites regarding fantasy sports and other virtual sports leagues.
Stock Advice and Tools	Information regarding the stock market, trading of stocks or options, portfolio management, investment strategies, quotes, or related news.
Streaming Media	Sites that stream audio or video content for free and/or purchase. Includes online radio stations and other streaming music services.
Swimsuits and Intimate Apparel	Sites that include information or images concerning swimsuits, intimate apparel or other suggestive clothing
Training and Tools	Sites that provide online education and training and related materials. Can include driving/traffic schools, workplace training, etc.
Translation	Sites that provide translation services, including both user input and URL translations. These sites can also allow users to circumvent filtering as the target page's content is presented within the context of the translator's URL.
Travel	Information regarding travel tips, deals, pricing information, destination information, tourism, and related services. Includes websites for hotels, local attractions, casinos, airlines, cruise lines, travel agencies, vehicle rentals and sites that provide booking tools such as price monitors.Includes websites for local points of interest/tourist attractions such as the Eiffel Tower, the Grand Canyon, etc.
Weapons	Sales, reviews, descriptions of or instructions regarding weapons and their use.
Web Advertisements	Advertisements, media, content, and banners.
Web Hosting	Free or paid for hosting services for web pages, including information regarding web development, publication, promotion, and other methods to increase traffic.
Web-based Email	Any website that provides access to an email inbox and the ability to send and receive emails.

Create Security Rules on Cloud NGFW for Azure

Enable DNS Security on Cloud NGFW for Azure