Advanced URL Filtering
PAN-OS & Panorama
Table of Contents
PAN-OS & Panorama
- Select .
- Addor modify a custom URL category, and give the category a descriptiveName.
- Set the categoryTypeto eitherCategory MatchorURL List:
- URL List—Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions to URL category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.By default, the firewall automatically appends a trailing slash (/) to domain entries (example.com) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example,example.com(example.com/after processing) matches itself andexample.com/search.In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry*.example.com, a URL must strictlybeginwith one or more subdomains and end with the root domain,example.com;news.example.comis a match, butexample.comis not because it lacks a subdomain.We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions discusses the trailing slash and matching behavior in further detail.To disable this feature, go to . Then, deselectAppend Ending Token. If you disable this feature, you may block or allow access to more URLs than intended. URL Category Exceptions (PAN-OS 10.1 and earlier) describes the firewall’s behavior when this feature is disabled.
- Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
- ClickOKto save the custom URL category.
- Select andAddor modify a URL Filtering profile.Your new custom category displays underCustom URL Categories:
- Decide how you want to enforceSite AccessandUser Credential Submissionsfor the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
- Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.Select and specify the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure toCommityour changes.You can also use custom URL categories as Security policy rule match criteria. In this case, you do not define site access for the URL category in a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (). Then, selectService/URL Categoryto use the custom URL category as match criteria for the rule.