>
    Strata Copilot
    Security Profile: URL Filtering
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Security Profiles
    5. Security Profile: URL Filtering
    Download PDF
    Network Security

    Security Profile: URL Filtering

    Table of Contents

    Security Profile: URL Filtering

    Use URL filtering profiles to not only control access to web content, but also to control how users interact with web content.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    Check for any license or role requirements for the products you're using.
    URL Filtering profiles let you monitor and control how users access the web over HTTP and HTTPS by defining how your configuration handles traffic to specific URL categories. A URL Filtering profile is a collection of URL filtering controls that you can apply to individual Security rules that allow access to the internet. You can set site access for URL categories, allow or disallow user credential submissions, enable safe search enforcement, and various other settings. To enforce the actions you define in a URL Filtering profile, you need to apply profiles to Security rules. A default profile is configured to block websites such as known malware sites, phishing sites, and adult content sites. You can use the default profile in a Security policy, clone it to be used as a starting point for new URL filtering profiles, or add a new URL profile that will have all categories set to allow for visibility into the traffic on your network. You can then customize the newly added URL profiles and add lists of specific websites that should always be blocked or allowed, which provides more granular control over URL categories.

    Configure URL Filtering

    Configure URL Filtering (Strata Cloud Manager)

    Follow these steps to configure URL Filtering profiles and settings that meet your organization’s business and security needs.
    After you plan your URL filtering deployment, you should have a basic understanding of the types of websites your users are accessing. Use this information to create a URL Filtering profile that defines how the firewall handles traffic to specific URL categories. You can also restrict the sites to which users can submit corporate credentials or enforce strict safe search. To activate these settings, apply the URL Filtering profile to Security rules that allow web access.
    Follow these steps to configure URL Filtering profiles and settings that meet your organization’s business and security needs. See Advanced URL Filtering: Configure URL Filtering for detailed steps.
    1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management
    2. Review and customize General URL Filtering Settings.
      Automatically append end tokens to URLs in an EDL or a custom URL category
      If you use URLs in custom URL categories or external dynamic lists (EDLs) and do not append an ending token, it is possible to allow more URLs than you intended. For example, entering example.com as a matching URL instead of example.com/ would also match example.com.website.info or example.com.br.Prisma Access can automatically set an ending token to URLs in EDLs or custom URL categories so that, if you enter example.com, Prisma Access treats it as it would treat example.com/ and only match that URL.
      Go to System SettingsGeneral Settings and enable the option to Append End Token to Entries.
    3. Create a URL Access Management profile.
    4. Apply the URL Access Management profile to a Security rule.
      A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a URL Access Management profile (and any Security profile).
    5. Select Save and Push Config.

    Configure URL Filtering (PAN-OS & Panorama)

    Follow these steps to configure URL Filtering profiles and settings that meet your organization’s business and security needs.
    After you plan your URL filtering deployment, you should have a basic understanding of the types of websites your users are accessing. Use this information to create a URL Filtering profile that defines how the firewall handles traffic to specific URL categories. You can also restrict the sites to which users can submit corporate credentials or enforce strict safe search. To activate these settings, apply the URL Filtering profile to Security rules that allow web access.
    Follow these steps to configure URL Filtering profiles and settings that meet your organization’s business and security needs. See Advanced URL Filtering: Configure URL Filtering for detailed steps.
    1. Create a URL Filtering profile.
      If you didn’t already, configure a best practice URL Filtering profile to ensure protection against URLs hosting malware or exploitive content.
      Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
    2. Define site access for each URL category.
      Select Categories and set the Site Access for each URL category.
    3. Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.
      To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID™ associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
    4. Configure the URL Filtering profile to detect phishing and malicious JavaScript in real-time using local inline categorization.
    5. Allow or block users from submitting corporate credentials to sites based on URL category to prevent credential phishing.
      To ensure the best performance and a low false positive rate, the firewall automatically skips checking the credential submissions for any App-ID associated with sites that have never been observed hosting malware or phishing content—even if you enable checks in the corresponding category. The list of sites for which the firewall skips credential checking is automatically updated through Applications and Threats content updates.
    6. Define URL category exceptions to specify websites that should always be blocked or allowed, regardless of URL category.
      For example, to reduce URL filtering logs, you may want to add your corporate websites to the allow list so that no logs are generated for those sites or, if there is a website that is being overly used and is not work-related, you can add that site to the block list.
      The policy actions configured for custom URL categories have priority enforcement over matching URLs in external dynamic lists.
      Traffic to websites in the block list is always blocked regardless of the action for the associated category and traffic to URLs in the allow list is always allowed.
      For more information on the proper format and wildcard usage, review the URL Category Exception Guidelines.
    7. Enable Safe Search Enforcement.
    8. Log only the page a user visits for URL filtering events.
    9. Enable HTTP Header Logging for one or more of the supported HTTP header fields.
    10. Save the URL Filtering profile.
    11. Apply the URL Filtering profile to Security rules that allow traffic from clients in the trust zone to the internet.
      Make sure the Source Zone in the Security policy rules to which you add URL Filtering profiles is set to a protected internal network.
    12. Commit the configuration.
    13. Test your URL filtering configuration.
    14. (Best Practice) Enable Hold client request for category lookup to block client requests while the firewall performs URL category lookups.
    15. Set the amount of time, in seconds, before a URL category lookup times out.

    © 2026 Palo Alto Networks, Inc. All rights reserved.