>
    Strata Copilot
    URL Filtering Use Cases
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. URL Filtering Basics
    4. URL Filtering Use Cases
    Download PDF
    Advanced URL Filtering

    URL Filtering Use Cases

    Table of Contents

    URL Filtering Use Cases

    Discover ways you can use URL filtering to reduce your attack surface and ensure safe web access.
    Where can I use this?What do I need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    Notes:
    • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
    • Prisma Access licenses include Advanced URL Filtering capabilities.
    There are many ways to enforce web page access beyond simply blocking and allowing certain sites. For example, you can use multiple categories per URL to allow users to access a site but block particular functions like submitting corporate credentials or downloading files. You can also use URL categories to enforce different types of policy, such as Authentication, Decryption, QoS, and Security.
    Read on to learn about the different ways you can deploy URL filtering.

    Control Web Access Based on URL category

    You can create a URL Filtering profile that specifies an action for a URL category and attach the profile to a Security policy rule. The firewall enforces policy against traffic based on the settings in the profile. For example, to block all gaming websites you would configure the block action for the games category in a URL Filtering profile. After, you’d attach the profile to Security policy rules that allow web access.

    Multi-Category URL Filtering

    Every URL can have up to four categories, including a risk category that indicates how likely a site is to expose you to threats. More granular URL categorizations lets you move beyond a basic “block-or-allow” approach to web access. For example, you can control how users interact with content that is necessary for business but also more likely to be used in a cyberattack.
    You might consider certain URL categories risky but hesitate to block them outright because they provide valuable resources (such as cloud storage services or blogs). Multi-category URL filtering lets you allow users to visit sites that fall into these categories while decrypting, inspecting, and enforcing read-only access to site content.
    Additionally, you can define a custom URL category by selecting the Category Match type and specifying two or more PAN-DB categories. Creating a custom category from multiple categories allows you to target enforcement for a website or page that matches all of the categories specified in the custom URL category object.

    Block or Allow Corporate Credential Submissions Based on URL Category

    Prevent credential phishing by enabling the firewall to detect corporate credential submissions to sites, and then control those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to submit credentials to corporate and sanctioned sites.

    Enforce Safe Search Settings

    Many search engines have a safe search setting that filters out adult images and videos from search results. You can enable the firewall to block search results or transparently enable safe search for end users that are not using the strictest safe search settings. The firewall supports safe search enforcement for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. See how to get started with Safe Search Enforcement.

    Enforce Password Access to Certain Sites

    You can block access to a site for most users while allowing certain users to access the site. See how to allow password access to certain sites.

    Block High-Risk File Downloads from Certain URL Categories

    You can block high-risk file downloads from specific URL categories by creating a Security policy rule and attaching a File Blocking profile.

    Enforce Security, Decryption, Authentication, and QoS Policy Rules Based on URL Category

    You can enforce different types of policy rules based on URL categories. For example, suppose you have enabled decryption, but want to exclude certain personal information from being decrypted. In this case, you could create a decryption policy rule that excludes websites that match the URL categories financial-services and health-and-medicine from decryption. Another example would be to use the URL category streaming-media in a QoS policy rule to apply bandwidth controls to websites in this category.
    The following table describes the policies that accept URL categories as match criteria:
    Policy Type
    Description
    Decryption
    You can also use URL categories to phase-in decryption, and to exclude URL categories that might contain sensitive or personal information from decryption (like financial-services and health-and-medicine).
    Plan to decrypt the riskiest traffic first (URL categories most likely to harbor malicious traffic, such as high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. In both cases, decrypt a few URL categories, listen to user feedback, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL categories, and so on. Plan to make decryption exclusions for sites you can't decrypt either for technical reasons or because you choose not to decrypt them.
    Decrypting traffic based on URL categories is a best practice for both URL Filtering and Decryption.
    Authentication
    To ensure that users authenticate before being allowed access to a specific category, you can attach a URL category as a match criterion for Authentication policy rules.
    QoS
    Use URL categories to allocate throughput levels for specific website categories. For example, you may want to allow the streaming-media category, but limit throughput by adding the URL category to a QoS policy rule.
    Security
    You can use a URL category as match criteria or create a URL Filtering profile that specifies an action for each category and attach it to a Security policy rule.
    Using URL Categories as Match Criteria vs. Applying URL Filtering Profile to a Security Policy Rule
    • Use URL categories as match criteria in the following cases:
    • Use a URL Filtering profile in the following cases:
      • To record traffic to URL categories in URL filtering logs.
      • To specify more granular actions, such as alert, on traffic for a specific category.
      • To configure a response page that displays when users access a blocked or blocked-continue website.
    In a URL Filtering profile, the actions specified for each URL category only apply to traffic destined for the categories specified in the Security policy rule. You can also apply a particular profile to multiple rules.
    If for example, the IT-security group in your company needs access to the hacking category, but all other users are denied access to the category, you must create the following rules:
    • A Security policy rule that allows the IT-Security group to access content categorized as hacking. The Security policy rule references the hacking category in the Services/URL Category tab and the IT-Security group in the Users tab.
    • Another Security policy rule that allows general web access for all users. To this rule, attach a URL Filtering profile that blocks the hacking category.
    List the policy rule that allows access to hacking before the policy rule that blocks hacking. This is because the firewall evaluates Security policy rules from the top down, so when a user who is part of the security group attempts to access a hacking site, the firewall evaluates the policy rule that allows access first and grants the user access. The firewall evaluates users from all other groups against the general web access rule that blocks access to hacking sites.

    © 2025 Palo Alto Networks, Inc. All rights reserved.