Review the criteria for each security-focused URL category
to learn why a site has been classified as high-risk, medium-risk,
or low-risk.
Security-focused URL categories can help you to reduce
your attack surface by providing targeted decryption and enforcement
for sites that pose varying levels of risk, but are not confirmed
malicious. Websites are classified with a security-related category
only so long as they meet the criteria for that category; as site
content changes, policy enforcement dynamically adapts. You cannot
submit a change request for security-focused URL Categories.
Security-Focused URL Categories
High-Risk
High-risk sites include:
Sites
previously confirmed to be malware, phishing, or C2 sites. These
sites will remain in this category for at least 30 days.
Unknown domains are classified as high-risk until PAN-DB
completes site analysis and categorization.
Sites that are associated with confirmed malicious activity.
For example, a page might be high-risk if there are malicious hosts
on the same domain, even if the page itself does not contain malicious
content.
Bulletproof ISP-hosted sites.
Domains classified as DDNS due to the presence of an active
dynamic DNS configuration.
Sites hosted on IPs from ASNs that are known to allow malicious
content.
Default and Recommended Policy Action: Alert
Medium-Risk
Medium-risk sites include:
All
cloud storage sites (with the URL category
online-storage-and-backup
).
Sites previously confirmed to be malware, phishing, or C2
sites that have displayed only benign activity for at least 30 days.
These sites will remain in this category for an additional 60 days.
Unknown IP addresses are categorized as medium-risk until
PAN-DB completes site analysis and categorization.
Default
and Recommended Policy Action: Alert
Low-Risk
Sites that are not medium or high risk are
considered low risk. These sites have displayed benign activity
for a minimum of 90 days.
Default and Recommended Policy
Action: Allow
Newly-Registered Domains
Identifies sites that have been registered
within the last 32 days. New domains are frequently used as tools
in malicious campaigns.
Default Policy Action: Alert
Recommended
Policy Action: Block
Newly-registered
domains are often generated purposefully or by domain generation
algorithms and used for malicious activity. It is a best practice
to block this URL category.