Create a Custom URL Category
Focus
Focus

Create a Custom URL Category

Table of Contents
End-of-Life (EoL)

Create a Custom URL Category

Use custom URL categories to define custom URL lists for exceptions to URL category enforcement or to specify multiple categories websites must match.
You can create a custom URL filtering object to specify exceptions to URL category enforcement and to create a custom URL category based on multiple URL categories:
  • Define exceptions to URL category enforcement
    —Create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong. For example, you might block the
    social-networking
    category but want to allow access to LinkedIn.
  • Define a custom URL category based on multiple PAN-DB categories
    —This allows you to target enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
    For example, PAN-DB might classify a developer blog that your engineers use for research as
    personal-sites-and-blogs
    ,
    computer-and-internet-info
    , and
    high-risk
    . To allow the engineers to access the blog and similar websites
    and
    gain visibility into these websites, you can create a custom URL category based on the three categories and set site access for the category to alert in a URL Filtering profile.
Follow these steps to create a custom URL category and define how you’d like the firewall to enforce the custom URL category:
  1. Select
    Objects
    Custom Objects
    URL Category
    .
  2. Add
    or modify a custom URL Category and give the category a descriptive
    Name
    .
  3. Set the category
    Type
    to either
    Category Match
    or
    URL List
    :
    • URL List
      —Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions for URL Category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.
      Consider the potential matches an entry might have before adding it to a URL category exception list. Entries that do not end in a trailing slash (/) or asterisk (*) may match more URLs than expected, resulting in less precise policy enforcement. For example, if you add
      example.com
      to a list of allowed websites, the firewall assumes an implicit asterisk and interprets that entry as
      example.com.*
      . As a result, the firewall allows access to sites such as
      example.com.test.info
      . You can construct domain entries with a trailing slash (
      example.com/
      ) to prevent the firewall from assuming an implicit asterisk to the right of the domain. (See the step to Append a Trailing Slash for an overview of the trailing slash.)
    • Category Match
      —Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
  4. Select
    OK
    to save the custom URL category.
  5. Select
    Objects
    Security Profiles
    URL Filtering
    and
    Add
    or modify a URL Filtering profile.
    Your new custom category displays under
    Custom URL Categories
    :
  6. Decide how you want to enforce
    Site Access
    and
    User Credential Submissions
    for the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
  7. Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.
    Select
    Policies
    Security
    Actions
    and specify for the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure to
    Commit
    your changes.
    You can also use custom URL categories as Security policy match criteria. In this case, you do not need to define how the category should be enforced as part of a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (
    Policies
    Security
    ). Then, select
    Service/URL Category
    to use the custom URL category as match criteria for the rule.
  8. (
    Recommended
    ) Enable the firewall to append a trailing slash (/) to custom URL categories (URL List) and external dynamic lists (URL List) entries.
    After you enable this feature, the firewall appends a trailing slash to domain entries (
    example.com
    ) that do not end in a trailing slash or asterisk (*). The trailing slash in non-wildcard domain entries limits matches to the given domain and its subdirectories. For example,
    example.com
    (
    example.com/
    after processing) matches itself and
    example.com/search
    .
    The trailing slash in wildcard domain entries (entries using asterisks or carets) limits matches to URLs that conform to the specified pattern. For example, to match the entry
    *.example.com
    , a URL must strictly
    begin
    with one or more subdomains and end with the root domain,
    example.com
    ;
    news.example.com
    is a match, but
    example.com
    is not because it lacks a subdomain.
    Use the following CLI commands to enable this feature:
    admin@PA-850>
    debug device-server append-end-token on
    admin@PA-850>
    configure
    admin@PA-850#
    commit
    To disable this feature:
    admin@PA-850>
    debug device-server append-end-token off
    admin@PA-850>
    configure
    admin@PA-850#
    commit
    We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions (PAN-OS 10.2) discusses the trailing slash and matching behavior when this feature is enabled.
    You have to enable this feature on each firewall running PAN-OS
    ®
    10.1 or earlier. Panorama™ management servers running PAN-OS 10.2 cannot enable this feature for firewalls running PAN-OS 10.1 or earlier.

Recommended For You