URL Category Exceptions
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 10.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Share Threat Intelligence with Palo Alto Networks
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Inline ML
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Test URL Filtering Configuration
- Configure URL Filtering
- Configure URL Filtering Inline ML
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
URL Category Exceptions
Guidelines for adding entries to a custom URL list or
external dynamic list you want to use in a URL Filtering profile
or policy.
You can exclude specific websites from URL category
enforcement, ensuring that these websites are blocked or allowed
regardless of the policy action associated with its URL categories.
For example, you might block the social-networking URL category
but allow access to LinkedIn. To create exceptions to URL category
policy enforcement:
- Add the IP addresses or URLs of sites you want to block
or allow to a custom URL category of
type URL List (ObjectsCustom ObjectsURL Category). Then,
define site access for the custom URL category in a URL Filtering
profile. Finally, attach the profile to a Security policy rule.You can also use a custom URL category as match criteria in a Security policy rule (PoliciesSecurity, and select Service/URL Category). The exception rule must be placed above any rules that block or allow the categories to which the URL exceptions belong.
- Add the URLs of sites you want to block or allow to an external dynamic list of type URL List (ObjectsExternal Dynamic Lists). Then, use the external dynamic list in a URL Filtering profile or as match criteria in a Security policy rule. The benefit to using an external dynamic list is that you can update the list without performing a configuration change or commit on the firewall.
External dynamic lists of type URL List should
not be confused with external dynamic lists of type
Domain List or IP Address. While external
dynamic lists of URLs permit domains and IP addresses, the reverse
is not true and result in invalid entries.
The following guidelines describe how to populate URL category
exception lists—custom URL categories or external dynamic lists
of URLs:
- Basic Guidelines For URL Category Exception Lists
- Wildcard Guidelines for URL Category Exception Lists
- URL Category Exception List—Examples
Basic Guidelines For URL Category Exception Lists
Consider the potential matches an entry might have before
adding it to a URL category exception list. The following guidelines
specify how to create an entry that blocks or allows the websites
and pages you intend. Create and evaluate existing entries against
these guidelines to ensure you do not block or allow access to more
URLs than anticipated.
The firewall assumes an implicit asterisk at the end of
domain entries that do not end in a trailing slash (/) or
asterisk (*). For example, if you add example.com to
a URL list of allowed websites, the firewall interprets that entry
as example.com.*. As a result, the firewall
allows access to sites such as example.com.domain.xyz.
To
prevent the firewall from assuming the implicit asterisk, you can
append a trailing slash to domain entries that do not end in a / or *.
The addition of the trailing slash changes the URLs that the firewall
considers a match and for which it enforces policy. In non-wildcard
domain entries, the trailing slash limits matches to the given domain
and its subdirectories. For example, example.com (example.com/ after
processing) matches itself and example.com/search.
In
wildcard domain entries (entries with asterisks or carets), the
trailing slash limits matches to URLs that conform to the specified
pattern. For example, to match the entry *.example.com,
a URL must include at least one subdomain and end with the root
domain, example.com. The pattern is: <subdomain>.example.com; news.example.com is
a match, but example.com is not because it
lacks a subdomain.
You can enable the firewall to automatically
append a trailing slash to applicable entries using the following
command line interface (CLI) commands:
admin@PA-850> debug device-server append-end-token onadmin@PA-850> configureadmin@PA-850# commitWe
recommend manually adding trailing slashes to clarify the intended matching
behavior of an entry for anyone who inspects it. The trailing slash
is invisible if added by the firewall. To disable this feature:
admin@PA-850> debug device-server append-end-token offadmin@PA-850> configureadmin@PA-850# commitPanorama™ management servers running PAN-OS® 10.2
cannot enable this feature for firewalls running PAN-OS 10.1 or
earlier. You have to enable this feature on each firewall running
PAN-OS 10.1 or earlier.
- List entries are case-insensitive.
- Omit http and https from URL entries.
- Each URL entry can be up to 255 characters in length.
- Every domain that does not end in a / or an * has an implicit asterisk to its end. The firewall processes the entry as if you entered: <domain>.*.
- Enter an exact match to the website you want to block or allow oruse wildcardsto create a pattern match.Different entries result in different exact matches. If you enter the URL for a specific web page (example.com/contact), the firewall limits matches to that page alone. Exact matching for a domain with a trailing slash restricts matches to the domain itself and its subdirectories. If you enter a domain (without a trailing slash), the firewall matches additional URLs due to the implicit asterisk.
- Consider adding the URLs most commonly used to access a website or page to your exception list (for example, blog.paloaltonetworks.com and paloaltonetworks.com/blog) if the original entry is accessible from more than URL.
- The entry example.com is distinct from www.example.com. The domain name is the same, but the second entry contains the www subdomain.
Palo Alto Networks does not support regular expression
use in custom URL category or external dynamic list entries. You
must know the specific URLs or be able to construct the URL patterns
you want to match using wildcards and the following characters: . / ? & = ; +.
Wildcard Guidelines for URL Category Exception Lists
You can use asterisks (*) and carets (^) in URL category
exception lists to configure a single entry to match multiple subdomains,
domains, top-level domains (TLD), or pages without specifying exact
URLs.
Add a trailing slash (/) to domain entries to ensure the
firewall ignores matches to the right of the domain. For the trailing
slash to have an impact, an entry must not end in a *.
How to Use Asterisk (*) and Caret (^) Wildcards
The following
characters are token separators: . / ? & = ; +.
Every string separated by one or two of these characters is a token. Use
wildcard characters as token placeholders to indicate that a specific
token can contain any value. In the entry docs.paloaltonetworks.com, the
tokens are “docs”, “paloaltonetworks”, and “com”.
The following
table describes how asterisks and carets work and provides examples.
| * | ^ |
|---|---|
Indicates one or more variable subdomains,
domains, TLDs, or subdirectories. Can use asterisk after trailing
slash, for example, example.com/*. Ex: *.domain.com matches docs.domain.com and abc.xyz.domain.com. | Indicates one variable subdomain, root domain,
or TLD. Cannot use caret after . The following entry is invalid: example.com/^. Ex: ^.domain.com matches docs.domain.com and blog.domain.com. |
Key Point: Asterisks
match a greater range of URLs than carets. An asterisk corresponds
to any number of consecutive tokens, while a caret corresponds to
exactly one token. An entry like xyz.*.com matches
more sites than xyz.^.^.com; xyz.*.com matches
sites with any number of tokens between the strings, and xyz.^.^.com matches sites
with exactly two tokens. The firewall interprets entries
that do not end in a / or * with an implicit asterisk to their
end, which further increases the potential matches. | |
- A wildcard must be the only character within a token. For example, example*.com is an invalid entry because example and * are in the same token. An entry can contain wildcards in more than one token, however.
- You can use asterisks and carets in the same entry (for example, *.example.^).
Do not create an entry with consecutive
asterisks (*) or more than nine consecutive carets (^)—entries like
these can affect firewall performance.
For example, do
not add an entry like mail.*.*.com. Instead,
depending on the range of websites you want to control access to,
enter mail.*.com or mail.^.^.com.
URL Category Exception List—Examples
The following table displays example URL list entries,
matching sites, and explanations for the matching behavior. URL Category Exceptions—Examples (starting
at PAN-OS 10.2) shows matching behavior when the firewall appends
a trailing slash to domain entries without a trailing slash or terminating
asterisk by default.
| URL Exception List Entry | Matching Sites | Explanation and Notes |
|---|---|---|
Example Set 1 | ||
paloaltonetworks.com | paloaltonetworks.com paloaltonetworks.com.au paloaltonetworks.com.random.org paloaltonetworks.com/your-page | An implicit asterisk is assumed at the end
of the domain because a trailing slash is not present. Therefore,
matches also include all URLs that begin with the domain. Add a trailing slash to your entry to limit
matches to the exact domain and its subdirectories. |
paloaltonetworks.com/example | paloaltonetworks.com/example | The domain is followed by the subdirectory example.
When you enter the URL for a specific web page, the firewall applies
the exception action to the specified web page. |
Example Set 2—Asterisks | ||
*.example.com | www.example.com docs.example.com support.tools.example.com.uk blog.example.com/your-page | The asterisk expands matches to all example.com subdomains. An
implicit asterisk is assumed at the end of the domain because a
is not present. Therefore, matches also include URLs that begin with
the pattern <subdomain>.example.com. To ensure your entry matches only subdomains
of the domain, include a . |
mail.example.* | mail.example.com mail.example.co.uk mail.example.com/#inbox | The asterisk expands matches to any URL
following the mail.example.<TLD> pattern. An
asterisk is not implied at the end because the entry already ends
in one. |
example.*.com | example.yoursite.com example.es.domain.com example.a.b.com.info.us example.company.com/1234 | The asterisk expands matches to URLs where example is
the left-most subdomain and the last token represented by the asterisk
is followed by .com (example.<domain>.com). An
implicit asterisk is assumed at the end of the domain because a
is not present. |
example.com/* | example.com/photos example.com/blog/latest any
example.com subdirectory | The domain is followed by a / and
an asterisk, which indicates that a subdirectory must be present. The
asterisk serves as a token placeholder for any example.com subdirectory. An
asterisk is not implied at the end because the entry ends in one. |
Example Set 3—Carets | ||
google.^ Patterns such as example.co.^ are
typically used to match country-specific domains such as example.co.jp.
However, generic top-level domains (gTLDs) result in patterns such as
example.co.^ matching example.co.info or example.co.amzn, which
may not belong to the same organization. | google.com google.co.uk google.com/search?q=paloaltonetworks | An implicit asterisk is assumed to the right
of the caret because a trailing slash is not present. Therefore, matches
also include URLs with more than one token after google. Add a trailing slash to limit matches to sites
with one token after the domain. |
^.google.com | www.google.com news.google.com.test.info docs.google.com/document | The caret expands matches to single-level subdomains
of google.com. An implicit asterisk
is assumed at the end of the domain because a trailing slash is
not present. Therefore, matches also include URLs that begin with
the <subdomain>.google.com pattern. |
^.^.google.com | www.maps.google.com support.tools.google.com.abc.xyz www.tools.google.com/example-page | The two carets expand matches to URLs with
two consecutive subdomains before google.com. An
implicit asterisk is assumed at the end of the domain because a
trailing slash is not present. Therefore, matches also include URLs
that begin with the <subdomain>.<subdomain>.google.com pattern. |
google.^.com | google.example.com google.company.com.it google.info.com/example | The caret expands matches to URLs where google is
the left-most subdomain, followed by one token and .com. An
implicit asterisk is assumed at the end of the domain because a
trailing slash is not present. Therefore, matches also include URLs
that begin with the google.<domain>.com pattern. |