Use custom URL categories to define custom URL lists
for exceptions to URL category enforcement or to specify multiple
categories websites must match.
You can create a custom URL filtering object
to specify exceptions to URL category enforcement and to create
a custom URL category based on multiple URL categories:
Define
exceptions to URL category enforcement—Create a custom list
of URLs that you want to use as match criteria in a Security policy
rule. This is a good way to specify exceptions to URL categories,
where you’d like to enforce specific URLs differently than the URL
category to which they belong. For example, you might block the social-networking category
but want to allow access to LinkedIn.
Define a custom URL category based on multiple PAN-DB
categories—This allows you to target enforcement for websites
that match a set of categories. The website or page must match all the
categories defined as part of the custom category.
For example,
PAN-DB might classify a developer blog that your engineers use for
research as personal-sites-and-blogs, computer-and-internet-info, and high-risk.
To allow the engineers to access the blog and similar websites and gain
visibility into these websites, you can create a custom URL category
based on the three categories and set site access for the category
to alert in a URL Filtering profile.
Follow these
steps to create a custom URL category and define how you’d like
the firewall to enforce the custom URL category:
Select ObjectsCustom ObjectsURL Category.
Add or modify a custom URL Category
and give the category a descriptive Name.
Set the category Type to either Category
Match or URL List:
URL List—Add URLs that
you want to enforce differently than the URL category to which they
belong. Use this list type to define exceptions for URL Category
enforcement or to define a list of URLs as belonging to a custom
category. Consult URL Category Exceptions for
guidelines on creating URL list entries.
Consider the
potential matches an entry might have before adding it to a URL
category exception list. Entries that do not end in a trailing slash
(/) or asterisk (*) may match more URLs than expected, resulting
in less precise policy enforcement. For example, if you add example.com to
a list of allowed websites, the firewall assumes an implicit asterisk
and interprets that entry as example.com.*.
As a result, the firewall allows access to sites such as example.com.test.info.
You can construct domain entries with a trailing slash (example.com/)
to prevent the firewall from assuming an implicit asterisk to the
right of the domain. (See the step to
Append a Trailing
Slash
for an overview of the trailing slash.)
Category Match—Provide targeted
enforcement for websites that match a set of categories. The website
or page must match all the categories defined as part
of the custom category.
Select OK to save the custom URL
category.
Select ObjectsSecurity ProfilesURL Filtering and Add or
modify a URL Filtering profile.
Your new custom category displays under Custom
URL Categories:
Decide how you want to enforce Site Access and User
Credential Submissions for the custom URL category.
(To control the sites to which users can submit their corporate
credentials, see Prevent Credential Phishing.)
Attach the URL Filtering profile to a Security policy
rule to enforce traffic that matches that rule.
Select PoliciesSecurity Actions and specify for the
Security policy rule to enforce traffic based on the URL Filtering profile
you just updated. Make sure to Commit your
changes.
You can also use custom URL categories
as Security policy match criteria. In this case, you do not need
to define how the category should be enforced as part of a URL Filtering
profile. After creating a custom category, go to the Security policy
rule to which you want to add the custom URL category (PoliciesSecurity).
Then, select Service/URL Category to use
the custom URL category as match criteria for the rule.
(Recommended)
Enable the firewall to append a trailing slash (/) to custom URL
categories (URL List) and external dynamic lists (URL List) entries.
After you enable this feature, the firewall appends a trailing
slash to domain entries (example.com) that
do not end in a trailing slash or asterisk (*). The trailing slash
in non-wildcard domain entries limits matches to the given domain
and its subdirectories. For example, example.com (example.com/ after
processing) matches itself and example.com/search.
The
trailing slash in wildcard domain entries (entries using asterisks
or carets) limits matches to URLs that conform to the specified
pattern. For example, to match the entry *.example.com,
a URL must strictly begin with one or more subdomains and
end with the root domain, example.com; news.example.com is
a match, but example.com is not because it
lacks a subdomain.
Use the following CLI commands to enable
this feature:
admin@PA-850> debug device-server append-end-token on
admin@PA-850> configure
admin@PA-850# commit
To
disable this feature:
admin@PA-850> debug device-server append-end-token off
admin@PA-850> configure
admin@PA-850# commit
We
recommend manually adding trailing slashes to clarify the intended
matching behavior of an entry for anyone who inspects your URL list.
The trailing slash is invisible if added by the firewall. URL Category Exceptions (PAN-OS
10.2) discusses the trailing slash and matching behavior when this
feature is enabled.
You have to enable this feature
on each firewall running PAN-OS® 10.1 or earlier. Panorama™
management servers running PAN-OS 10.2 cannot enable this feature
for firewalls running PAN-OS 10.1 or earlier.