We strongly recommend that you block the URL categories
that identify malicious or exploitive content. To get started, you
can clone the default URL Filtering profile which blocks malware,
phishing, and command-and-control URL categories by default. The
default URL Filtering profile also blocks the abused-drugs, adult,
gambling, hacking, questionable, and weapons URL categories. Whether
to block these URL categories depends on your business requirements.
For example, a university probably won’t want to restrict student
access to most of these sites because availability is important,
but a business that values security first may block some or all
of them.
command-and-control—Command-and-control
URLs and domains used by malware and/or compromised systems to surreptitiously
communicate with an attacker's remote server to receive malicious
commands or exfiltrate data.
malware—Sites known to host malware
or used for command and control (C2) traffic. May also exhibit Exploit
Kits.
phishing—Known to host credential
phishing pages or phishing for personal identification. This includes
web content that covertly attempts to fool the user in order to
harvest information, including login credentials, credit card information
– voluntarily or involuntarily, account numbers, PINs, and any information
considered to be personally identifiable information (PII) from
victims via social engineering techniques. Technical support scams
and scareware are also included as phishing.
grayware—Websites and services that
do not meet the definition of a virus or pose a direct security
threat but displays obtrusive behavior and influences users to grant
remote access or perform other unauthorized actions. Grayware includes
scams, illegal activities, criminal activities, get rich quick sites,
adware, and other unwanted or unsolicited applications, such as
embedded crypto miners or hijackers that change the elements of
the browser. Typosquatting domains that do not exhibit maliciousness
and is not owned by the targeted domain will be categorized as grayware.
Prior to Content release version 8206, the firewall placed grayware
in either the malware or questionable URL category. If you are unsure
about whether to block grayware, start by alerting on grayware,
investigate the alerts, and then decide whether to block grayware
or continue to alert on grayware.
dynamic-dns—Hosts and domain names
for systems with dynamically assigned IP addresses and which are
oftentimes used to deliver malware payloads or C2 traffic. Also,
dynamic DNS domains do not go through the same vetting process as
domains that are registered by a reputable domain registration company,
and are therefore less trustworthy.
unknown—Sites that have not yet been
identified by PAN-DB. If availability is critical to your business
and you must allow the traffic, alert on unknown sites, apply the
best practice Security profiles to the traffic, and investigate
the alerts.
PAN-DB Real-Time Updates learns unknown
sites after the first attempt to access an unknown site, so unknown
URLs are identified quickly and become known URLs that the firewall
can then handle based on the actual URL category.
newly-registered-domain—Newly registered
domains are often generated purposely or by domain generation algorithms
and used for malicious activity.
copyright-infringement—Domains with
illegal content, such as content that allows illegal download of
software or other intellectual property, which poses a potential
liability risk. This category was introduced to enable adherence
to child protection laws required in the education industry as well
as laws in countries that require internet providers to prevent users
from sharing copyrighted material through their service.
extremism—Websites promoting terrorism,
racism, fascism, or other extremist views discriminating against
people or groups of different ethnic backgrounds, religions or other
beliefs. This category was introduced to enable adherence to child
protection laws required in the education industry. In some regions,
laws and regulations may prohibit allowing access to extremist sites,
and allowing access may pose a liability risk.
proxy-avoidance-and-anonymizers—URLs
and services often used to bypass content filtering products.
questionable— Websites containing
tasteless humor, offensive content targeting specific demographics
of individuals, or groups of people.
parked—Domains registered by individuals,
oftentimes later found to be used for credential phishing. These
domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com,
with the intent of phishing for credentials or personal identify
information. Or, they may be domains that an individual purchases
rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block,
you can very strictly control how users interact with site content.
For example, give users access to the resources they need (like developer
blogs for research purposes or cloud storage services), but take
the following precautions to reduce exposure to web-based threats:
