As a best practice, you should always block known dangerous
URL Filtering categories such
as malware, phishing, dynamic-dns, unknown, command-and-control,
proxy-avoidance-and-anonymizers, copyright-infringement, extremism,
newly-registered-domain, grayware, and parked. If you must allow
any of these categories for business reasons, you must decrypt them
and apply strict Security profiles to the traffic.