Create a Custom URL Category
Focus
Focus
Advanced URL Filtering

Create a Custom URL Category

Table of Contents

Create a Custom URL Category

Create a custom URL category that functions as either a URL category exception list or a distinct category based on multiple PAN-DB categories.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
You can create a custom URL category to define exceptions to URL category enforcement or define a new URL category from multiple categories.
Define Exceptions to URL Category Enforcement (URL List)
Specify a list of URLs (grouped under a single custom category) that you wish to enforce independently of their predefined URL categories. You can control access to this category in a URL Filtering profile that you apply to Security policy rules or use the category as match criteria in Security policy rules. For example, you can block the
social-networking
category but allow access to LinkedIn.
Define a Custom URL Category Based on Multiple PAN-DB Categories (Category Match)
Create a new category to target enforcement for websites or pages that match all of the categories defined as part of the custom category. For example, PAN-DB might classify a developer blog that your engineers use for research as
personal-sites-and-blogs
,
computer-and-internet-info
, and
high-risk
. To allow the engineers to access the blog and similar websites
and
gain visibility into these websites, you can create a custom URL category based on the three categories and set site access for the category to alert in a URL Filtering profile.
PAN-DB evaluates URLs against custom URL categories before external dynamic lists and predefined URL categories. Accordingly, the firewall enforces the Security policy rules for a URL in a custom URL list over the policy rules associated with the individual URL categories it exists in.
If multiple Security policy rules include a custom URL category, then the firewall enforces the Security policy rule with the strictest URL Filtering profile action for the matching traffic.

Cloud Managed

If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.
If you’re using
Strata Cloud Manager
, continue here.
  1. Select
    Manage
    Configuration
    Security Services
    URL Access Management
    Access Control
    .
  2. Under Custom URL Categories, select
    Add Category
    .
    Enter a descriptive
    Name
    for the category.
  3. Set the custom URL category
    Type
    to either
    URL List
    or
    Category Match
    .
    • URL List
      —Use this list type to add URLs that you want to enforce differently than the URL category to which they belong or to define a list of URLs as belonging to a custom category. Consult the Guidelines for URL Category Exceptions as you create URL list entries.
    • Category Match
      —Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
  4. Under
    Items
    ,
    Add
    either URLs or existing categories.
  5. Save
    the custom URL category.
  6. Define Site Access and User Credential Submissions settings for the custom URL category.
    1. Select
      Manage
      Configuration
      Security Services
      URL Access Management
      URL Access Management Profiles
      .
    2. Select an existing profile to modify or click
      Add Profile
      .
    3. Under Access Control, select the custom URL category you created earlier. It sits under
      Custom URL Categories
      and above
      Pre-Defined Categories
      .
    4. Set
      Site Access
      for the category.
    5. Set
      User Credential Submissions
      for the category.
    6. Save
      the profile.
  7. Apply the URL Access Management profile to a Security policy rule.
    A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.
    Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure to
    Push Config
    .
    You can also use custom URL categories as Security policy rule match criterion. In this scenario, you do not define site access for the URL category in a URL Filtering profile. Instead, after creating a custom URL category, select the Security policy rule you want to add the custom URL category to (
    Manage
    Configuration
    Security Services
    Security Policy
    ). Under
    Applications, Services and URLs
    and URL Category Entities, click
    Add URL Categories
    . Select the custom URL category you created, and then
    Save
    the Security policy rule.

PAN-OS & Panorama

  1. Select
    Objects
    Custom Objects
    URL Category
    .
  2. Add
    or modify a custom URL category, and give the category a descriptive
    Name
    .
  3. Set the category
    Type
    to either
    Category Match
    or
    URL List
    :
    • URL List
      —Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions to URL category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.
      By default, the firewall automatically appends a trailing slash (/) to domain entries (
      example.com
      ) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example,
      example.com
      (
      example.com/
      after processing) matches itself and
      example.com/search
      .
      In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry
      *.example.com
      , a URL must strictly
      begin
      with one or more subdomains and end with the root domain,
      example.com
      ;
      news.example.com
      is a match, but
      example.com
      is not because it lacks a subdomain.
      We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions discusses the trailing slash and matching behavior in further detail.
      To disable this feature, go to
      Device
      Setup
      Content-ID
      URL Filtering
      . Then, deselect
      Append Ending Token
      . If you disable this feature, you may block or allow access to more URLs than intended. URL Category Exceptions (PAN-OS 10.1 and earlier) describes the firewall’s behavior when this feature is disabled.
    • Category Match
      —Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
  4. Click
    OK
    to save the custom URL category.
  5. Select
    Objects
    Security Profiles
    URL Filtering
    and
    Add
    or modify a URL Filtering profile.
    Your new custom category displays under
    Custom URL Categories
    :
  6. Decide how you want to enforce
    Site Access
    and
    User Credential Submissions
    for the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
  7. Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.
    Select
    Policies
    Security
    Actions
    and specify the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure to
    Commit
    your changes.
    You can also use custom URL categories as Security policy rule match criteria. In this case, you do not define site access for the URL category in a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (
    Policies
    Security
    ). Then, select
    Service/URL Category
    to use the custom URL category as match criteria for the rule.

Recommended For You