URL Categories
Focus
Focus
Advanced URL Filtering

URL Categories

Table of Contents

URL Categories

Learn about the role of URL categories in URL filtering, and explore the complete list of PAN-DB URL filtering categories.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include Advanced URL Filtering capabilities.
Palo Alto Networks categorizes websites based on their content, features, and safety. Each URL category corresponds to a set of characteristics that’s useful for creating policy rules. URLs that users on your network access are added to Palo Alto Networks URL filtering database, PAN-DB. PAN-DB assigns up to four URL categories, including risk categories (high, medium, and low), to these websites.
URL categories enable category-based filtering of web traffic and granular policy control of sites. You can configure a URL Filtering profile to define site access for URL categories and apply the profile to Security policy rules that allow traffic to the internet. You can also use URL categories as match criteria in Security policy rules to ensure those rules apply only to websites in the specified categories. For example, you might configure a decryption policy rule that prevents decryption of traffic to the financial-services category.
To check the categories of a specific URL, enter the URL into Test A Site, our URL lookup engine. If you believe a URL is incorrectly categorized, submit a category change request.

Custom URL Categories

You can create a custom URL category to exclude particular websites from category-based enforcement. Custom URL categories can be based on specific URLs (URL List) or other categories (Category Match). Custom URL categories of URL list type function as block and allow lists. Custom URL categories of Category Match type enable targeted enforcement for websites that match all categories defined as part of the custom category.

Predefined URL Categories

The following table lists predefined URL categories that PAN-DB uses to filter URLs. Some entries describe sites that are excluded from the category. Security-Focused URL Categories describes risk categories, which are not assigned to all URLs.
URL Category
Description
Abortion
Sites that pertain to information or groups in favor of or against abortion, details regarding abortion procedures, help or support forums for or against abortion, or sites that provide information regarding the consequences or effects of pursuing (or not) an abortion.
Abused Drugs
Sites that promote the abuse of both legal and illegal drugs, the use and sale of drug-related paraphernalia, or the manufacturing or selling of drugs.
Adult
Sites with any sexually explicit material, media (including language, games, or comics), art, or products, online groups or forums that are sexually explicit in nature, and sites that promote adult services, such as video or telephone conferencing, escort services, and strip clubs.
Alcohol and Tobacco
Sites that pertain to the sale, manufacturing, or use of alcohol or tobacco products, and related paraphernalia. Includes sites related to electronic cigarettes.
Artificial Intelligence
Websites that use machine learning and deep learning models, including large language models, to provide services that would have typically required human intelligence. The services provided include but are not limited to chatbot, productivity, summarizer, transcriber, no-code, and audio or video editing-related services. Emphasis is given to websites hosting the actual AI service, not informational AI content.
Auctions
Sites that promote the sale of goods between individuals.
Auctions with donation purposes are categorized as Society.
Business and Economy
Sites with content related to marketing, management, economics, entrepreneurship, or running a business, including the following:
  • Sites for advertising and marketing companies
  • Sites for shipping services, such as fedex.com
  • Sites for phone, cable, and internet service providers
  • Sites for surveys or polls
  • Sites for Chambers of Commerce
  • Sites for conferences*
  • Corporate websites might be categorized with their technology instead of this category.
  • * Sites related to conferences should be categorized based on the content. If a site's content isn't specific, it's categorized as Business and Economy.
Command and Control
Command-and-control (C2) URLs and domains used by malware or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
Computer and Internet Info
Sites that provide general information about computers and the internet, including sites about the following topics:
  • Computer science
  • Engineering
  • Hardware and computer parts
  • Software
  • Security
  • Programming
Programming may have some overlap with the Reference and Research category, but the primary category should be Computer and Internet Info.
Content Delivery Networks
Sites whose primary focus is delivering content, such as advertisements, media, files, and image servers, to third parties.
Copyright Infringement
Domains with illegal content, such as content that allows the illegal download of software or other intellectual property, which poses a potential liability risk.
Sites that provide peer-to-peer file exchange services or general streaming media belong to their own respective categories.
Cryptocurrency
Sites that promote cryptocurrencies, cryptomining (but not embedded crypto miners) sites, cryptocurrency exchanges and vendors, and sites that manage cryptocurrency wallets and ledgers.
Sites referencing cryptocurrency or malicious sites related to cryptocurrency will be categorized separately. For example, sites that explain how cryptocurrencies and blockchain technology work fall under Computer and Internet Info.
Dating
Sites offering online dating services, advice, or other personal ads.
Dating sites that offer sexual chat rooms fall under the Adult category.
Dynamic DNS
Sites that provide or utilize dynamic DNS services to associate domain names with dynamic IP addresses.
Dynamic DNS is often used by attackers for command-and-control communication and other malicious purposes.
Educational Institutions
Official sites for schools, colleges, universities, school districts, online classes, and other academic institutions. Also includes sites for tutoring academies.
This category refers to larger, established educational institutions, such as elementary schools, high schools, and universities.
Encrypted DNS
Sites for DNS resolver service providers, which offer security and privacy for end users by encrypting DNS requests and responses using protocols like DNS over HTTPS (DoH).
Entertainment and Arts
Sites for movies, television, radio, videos, programming guides or tools, comics, performing arts, museums, art galleries, or libraries. Includes sites for the following:
  • Entertainment
  • Celebrity and entertainment industry news
  • Novels
  • Dance classes
  • Event venues
  • Tattoo art
Extremism
Sites promoting terrorism, racism, fascism, or other views that discriminate against people or groups of different ethnic backgrounds, religions, and other beliefs. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
Websites that discuss controversial political or religious views fall under the Philosophy and Political Advocacy and Religion categories, respectively.
Financial Services
Sites pertaining to personal finances or advice, such as online banking, loans, mortgages, debt management, credit card companies, foreign currency exchanges (FOREX), and insurance companies. Excludes sites related to health insurance, stock markets, brokerages, or trading services.
Gambling
Sites that facilitate the exchange of real or virtual money through lotteries or gambling. Includes related sites that provide information, tutorials, or advice on gambling, such as how to bet odds and pools.
Corporate websites for hotels and casinos that don't enable gambling fall under the Travel category.
Games
Sites that provide online play or downloads of video or computer games, game reviews, tips, cheats, or related publications and media. Includes sites that provide instructions for nonelectronic games, facilitate the sale or trade of board games, or support or host online sweepstakes and giveaways.
Government
Official websites for local, state, and national governments, as well as related agencies, services, or laws.
Sites for public libraries and military institutions fall under the Reference and Research and Military categories, respectively.
Grayware
Sites with content that don't pose a direct security threat but that display other intrusive behavior and tempt end users to grant remote access or perform other unauthorized actions.
Grayware includes the following:
  • Hacked sites
  • Typosquatting domains that don't exhibit malicious behavior and are not owned by the targeted domain
  • Sites with rogueware, adware, or other unsolicited applications, such as embedded crypto miners, clickjacking, or hijackers who change web browser elements
  • Sites with content pertaining to illegal or criminal activities
Hacking
Sites related to the illegal or questionable access to or use of communications equipment or software, including the development and distribution of such programs, how-to-advice, or tips that may result in the compromise of networks and systems. Includes sites that facilitate the bypass of licensing and digital rights systems.
Health and Medicine
Sites containing information regarding general health, issues, and traditional and nontraditional tips, remedies, and treatments. Includes sites for various medical specialties, practices, facilities (such as gyms and fitness clubs), and professionals. Sites related to medical insurance and cosmetic surgery are also included.
Home and Garden
Sites with information, products, and services related to home repair and maintenance, architecture, design, construction, decor, and gardening.
Hunting and Fishing
Sites that provide hunting and fishing tips or instructions or facilitate the sale of related equipment and paraphernalia.
Sites that primarily sell firearms (even if they are used for hunting) fall under the Weapons category.
Insufficient Content
Sites and services that present test pages, have no content, provide API access not intended for end-user display, or require authentication without displaying any other content suggesting a different categorization.
Internet Communications and Telephony
Sites that support or provide services for video chatting, instant messaging, or other telephony capabilities.
Internet Portals
Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.
Job Search
Sites that provide job listings, employer reviews, interview advice and tips, or related services for both employers and prospective candidates.
Legal
Sites that provide information, analysis, or advice regarding the law, legal services, legal firms, or other legal-related issues.
Malware
Sites containing or known to host malicious content, executables, scripts, viruses, trojans, and code.
Military
Sites with information or commentary on military branches, recruitment, current or past operations, or any related paraphernalia. Includes sites for military and veteran associations.
Motor Vehicles
Sites with information relating to reviews, sales, trading, modification, parts, and other related discussions of automobiles, motorcycles, boats, trucks, and recreational vehicles (RVs).
Music
Sites related to music sales, distribution, or information. Includes websites for music artists, groups, labels, events, lyrics, and other information regarding the music business. Excludes music streaming sites.
Newly Registered Domains
Sites that have been registered within the last 32 days. Newly registered domains are often generated purposely or by domain generation algorithms and can be used for malicious activity.
News
Online publications, newswire services, and other websites that aggregate current events, weather, or other contemporary issues. Includes the following:
  • Newspapers
  • Radio stations
  • Magazines
  • Podcasts
  • TV programs dedicated to the news
  • Social bookmarking sites, such as reddit.com
If the magazine or news website focuses on a specific topic like sports, travel, fashion, it gets categorized based on the dominant content on the site.
Not-Resolved
This category indicates that the website wasn't found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category.
Nudity
Sites that contain nude or seminude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
Online Storage and Backup
Sites that provide online storage of files for free or as a service. Includes photo-sharing sites.
Parked
URLs that host limited content or click-through ads, which may generate revenue for the host entity but generally don't contain content that is useful to end users. Includes domains that are for sale.
Parked sites with adult content fall under the Adult category.
Peer-to-peer
Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications. Primarily applicable to those sites with BitTorrent download capabilities. Excludes shareware or freeware sites.
Personal Sites and Blogs
Personal websites and blogs by individuals or groups. If such sites have a dominant topic associated with another category, they will be categorized with both categories.
Philosophy and Political Advocacy
Sites containing information, viewpoints, or campaigns regarding philosophical or political views.
Phishing
Web content that covertly attempts to harvest information, such as login credentials, credit card information, account numbers, PINs, and other personally identifiable information (PII), voluntarily or involuntarily, from victims using social engineering techniques. Includes technical support scams and scareware.
Private IP Addresses
This category includes IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets,' which are as follows:
  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Includes domains not registered with the public DNS system (such as *.local and *.onion).
Proxy Avoidance and Anonymizers
Proxy servers and other methods that bypass URL filtering or monitoring.
VPNs with corporate-level usage fall under the Internet Communication and Telephony category.
Questionable
Sites containing tasteless humor or offensive content targeting specific demographics of individuals or groups of people.
Ransomware
Sites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid. Includes URLs that deliver related stealers, wipers, and loaders that may carry ransomware payloads.
Real Estate
Sites that provide information on property rentals, sales, and related tips or information, including sites for the following:
  • Real estate firms and agents
  • Rental services
  • Listings (and aggregates)
  • Property improvement
  • Homeowner associations
  • Property management groups or individuals
Sites for mortgage and loan servicers fall under the Financial Services category.
Real-Time Detection (
Advanced URL Filtering only
)
URLs that have been analyzed and detected by real-time inline analysis as part of Advanced URL Filtering.
Recreation and Hobbies
Sites that consist of information, forums, associations, groups, or publications related to recreational activities and hobbies.
Sites that sell products related to recreational activities or hobbies, such as REI.com, fall under the Shopping category.
Reference and Research
Sites that provide personal, professional, or academic reference portals, materials, or services, including online dictionaries, maps, almanacs, census information, libraries, genealogy, and scientific information. Includes sites for or related to the following:
  • Yellow pages
  • Calendar
  • Public libraries
  • Research institutions
  • Light and vehicle tracking services
  • Documents and records related to real estate, traffic, etc. (even when belonging to the government)
Religion
Sites with information regarding various religions, related activities, or events. Includes sites for religious organizations, religious officials, places of worship, fortune-telling, astrology, horoscopes, and religious paraphernalia.
Sites for private primary or secondary schools affiliated with a religious organization, such as Catholic schools, with a curriculum that teaches general religious education and secular subjects fall under the Educational Institutions category.
Scanning Activity (
Advanced URL Filtering only
)
Campaigns that are conducted by adversaries that can be indicators of compromise, or attempts at conducting targeted attacks or probing for existing vulnerabilities. These are usually part of reconnaissance activity conducted by adversaries.
Search Engines
Sites that provide a search interface using keywords, phrases, or other parameters that may return information, websites, images, or other files as results.
Sex Education
Sites that provide information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, birth control, tips for better sex, and any related products or paraphernalia. Includes sites for related groups, forums, or organizations.
Shareware and Freeware
Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes, or widgets for free or donations. Includes open-source projects.
Shopping
Sites that facilitate the purchase of goods and services. Includes online merchants, sites for department stores, retail stores, catalogs, and price aggregation or monitoring tools. Sites in this category should be online merchants that sell a variety of items (or whose main purpose is online sales).
A website for a cosmetics company that happens to allow online purchasing falls under the Cosmetics category.
Social Networking
User communities or sites where users interact with each other, post messages, pictures, and otherwise communicate with groups of people.
Personal sites, blogs, or forums fall under the Personal Sites and Blogs category.
Society
Sites with content related to the general population or issues that impact a large variety of people, such as fashion, beauty, philanthropic groups, societies, or children. Includes restaurant websites.
Corporate websites related to food, such as Burger King, fall under the Business and Economy category.
Sports
Sites with information about sporting events, athletes, coaches, officials, teams or organizations, scores, schedules, related news, or sports paraphernalia. Includes websites for fantasy sports and virtual sports leagues.
Sites with the main purpose of selling sports goods fall under the Shopping category.
Stock Advice and Tools
Sites with information about the stock market, trading of stocks or options, portfolio management, investment strategies, quotes, or related news.
Streaming Media
Sites that stream audio or video content for free or purchase, including online radio stations, streaming music services, and the archiving of podcasts.
Swimsuits and Intimate Apparel
Sites that include information or images concerning swimsuits, intimate apparel, or other suggestive clothing.
Training and Tools
Sites that provide online education, training, and related materials. Includes driving or traffic schools, workplace training, games, applications, tools with educational purposes, and tutoring academies.
Specific skills classes are categorized based on their subject. For example, websites for music classes fall under the Music category.
Translation
Sites that provide translation services, including both user input and URL translations. These sites can also allow users to circumvent filtering as the target page's content is presented within the context of the translator's URL.
Travel
Sites that provide information about travel, such as tips, deals, pricing, destination information, tourism, and related services, such as booking or price monitoring tools. Includes websites for the following:
  • Local attractions
  • Hotels
  • Airlines
  • Cruise lines
  • Casinos (if the site does not allow online gambling)
  • Travel agencies
  • Vehicle rentals
  • Parking facilities
Unknown
Sites that have not yet been identified by Palo Alto Networks.
If availability of this site is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
PAN-DB Real-Time Updates learn unknown sites after a first attempt to access these sites, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
Weapons
Sites that handle sales or offer reviews, descriptions of, or instructions regarding weapons, armor, bulletproof vests, and their use.
Sites related to clay shooting, shooting ranges, and archery receive the primary category of Weapons and a secondary category of Sports.
Web Advertisements
Sites with advertisements, media, content, and banners. Includes pages for subscribing and unsubscribing from newsletters or ads.
Web-based Email
Any website that provides access to an email inbox and the ability to send and receive emails. Emphasis is given to websites that offer free or paid public access to such services.
Web Hosting
Sites that offer free or paid hosting services for webpages. Includes sites with information about web development, publication, promotion, and other methods of increasing traffic.

Security-Focused URL Categories

PAN-DB automatically evaluates and assigns a risk category (
high-risk
,
medium-risk
, and
low-risk
) to URLs that it either has
not
classified as malicious or
no longer
classifies as malicious because they have displayed only benign activity for at least 30 days. Each risk category has specific criteria that must be met for a URL to receive a given category. As site content changes, the risk category and policy enforcement dynamically adapt.
If PAN-DB determines that a URL belongs to a malicious URL category, it does not assign the site a risk category. Instead, the firewall automatically blocks the site because it poses an unacceptable risk for most environments.
Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Security-focused URL categories facilitate targeted decryption and policy enforcement, helping reduce your attack surface. For example, you can block users from accessing high- and medium-risk websites and newly registered domains or decrypt traffic to these categories if you choose to allow them.
The following table lists descriptions and default and recommended policy actions for each risk category.
You cannot submit a change request for security-focused URL categories.
URL Category
Description
High Risk
  • Sites whose domain was identified by the ML model to have properties previously linked to known malicious domains or had low web reputation signals.
  • Sites previously confirmed to be malware, phishing, or command-and-control (C2) sites.
  • Sites associated with confirmed malicious activity or that share a domain with a site known to be malicious.
  • Bulletproof ISP-hosted sites.
  • Domains classified as DDNS due to the presence of an active dynamic DNS configuration.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
  • Site classified as
    unknown
    .
    These sites remain high risk until PAN-DB completes site analysis and categorization.
  • Sites remain in this category for at least 30 days.
Default and Recommended Policy Action: Alert
Medium Risk
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
  • All cloud storage sites (sites classified as
    online-storage-and-backup
    ).
  • IP addresses classified as
    unknown
    .
    These IP addresses remain medium risk until PAN-DB completes site analysis and categorization.
  • Sites remain in this category for an additional 60 days.
Default and Recommended Policy Action: Alert
Low Risk
Sites that are not medium or high risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Newly registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It’s a best practice to block this URL category.
Default Policy Action: Alert
Recommended Policy Action: Block

Malicious URL Categories

We strongly recommend that you block the following URL categories, which identify malicious or exploitative content and behavior.
  • command-and-control
  • copyright-infringement
  • dynamic-dns
  • extremism
  • grayware
  • malware
  • newly-registered-domain
  • parked
  • phishing
  • proxy-avoidance-and-anonymizers
  • questionable
  • ransomware
  • scanning-activity
  • unknown
For categories that you alert on, instead of block, you can strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and obfuscated JavaScript for sites that you're alerting on.
  • Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
  • Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
  • Prevent credential phishing by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
The following table lists categories that PAN-DB considers malicious
and
blocks by default, except for
Private IP Addresses
. Private IP addresses (and hosts) are unique to the host environment and are invisible to PAN-DB. As a result, Palo Alto Networks does not assign a risk rating to sites in this category.
Category
Default Action
Command and Control
Block
Grayware
Malware
Phishing
Ransomware
Scanning Activity
Private IP Addresses
Allowed (no default action)

Recommended For You