Security-Focused URL Categories
Focus
Focus

Security-Focused URL Categories

Table of Contents
End-of-Life (EoL)

Security-Focused URL Categories

Review the criteria for each security-focused URL category to learn why a site has been classified as high-risk, medium-risk, or low-risk.
Security-focused URL categories can help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk, but are not confirmed malicious. Websites are classified with a security-related category only so long as they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts. You cannot submit a change request for security-focused URL Categories.
Security-Focused URL Categories
High-Risk
High-risk sites include:
  • Sites previously confirmed to be malware, phishing, or C2 sites. These sites will remain in this category for at least 30 days.
  • Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
  • Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
  • Bulletproof ISP-hosted sites.
  • Domains classified as DDNS due to the presence of an active dynamic DNS configuration.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
Default and Recommended Policy Action: Alert
Medium-Risk
Medium-risk sites include:
  • All cloud storage sites (with the URL category
    online-storage-and-backup
    ).
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days. These sites will remain in this category for an additional 60 days.
  • Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Default and Recommended Policy Action: Alert
Low-Risk
Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly-Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Default Policy Action: Alert
Recommended Policy Action: Block
Newly-registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It is a best practice to block this URL category.

Recommended For You