Create a Custom URL Category
Table of Contents
Create a Custom URL Category
Use custom URL categories to define custom URL lists
for exceptions to URL category enforcement or to specify multiple
categories websites must match.
You can create a custom URL filtering object
to specify exceptions to URL category enforcement and to create
a custom URL category based on multiple URL categories:
- Define exceptions to URL category enforcement—Create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong. For example, you might block the social-networking category but want to allow access to LinkedIn.
- Define a custom URL category based on multiple PAN-DB categories—This allows you to target enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.For example, PAN-DB might classify a developer blog that your engineers use for research as personal-sites-and-blogs, computer-and-internet-info, and high-risk. To allow the engineers to access the blog and similar websites and gain visibility into these websites, you can create a custom URL category based on the three categories and set site access for the category to alert in a URL Filtering profile.
Follow these
steps to create a custom URL category and define how you’d like
the firewall to enforce the custom URL category:
- Select .
- Add or modify a custom URL Category and give the category a descriptive Name.
- Set the category Type to either Category
Match or URL List:
- URL List—Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions for URL Category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.Consider the potential matches an entry might have before adding it to a URL category exception list. Entries that do not end in a trailing slash (/) or asterisk (*) may match more URLs than expected, resulting in less precise policy enforcement. For example, if you add example.com to a list of allowed websites, the firewall assumes an implicit asterisk and interprets that entry as example.com.*. As a result, the firewall allows access to sites such as example.com.test.info. You can construct domain entries with a trailing slash (example.com/) to prevent the firewall from assuming an implicit asterisk to the right of the domain. (See the step to Append a Trailing Slash for an overview of the trailing slash.)
- Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
- Select OK to save the custom URL category.
- Select and Add or
modify a URL Filtering profile.Your new custom category displays under Custom URL Categories:
![]()
- Decide how you want to enforce Site Access and User Credential Submissions for the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
- Attach the URL Filtering profile to a Security policy
rule to enforce traffic that matches that rule. Select and specify for the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure to Commit your changes.You can also use custom URL categories as Security policy match criteria. In this case, you do not need to define how the category should be enforced as part of a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (). Then, select Service/URL Category to use the custom URL category as match criteria for the rule.
- (Recommended)
Enable the firewall to append a trailing slash (/) to custom URL
categories (URL List) and external dynamic lists (URL List) entries.After you enable this feature, the firewall appends a trailing slash to domain entries (example.com) that do not end in a trailing slash or asterisk (*). The trailing slash in non-wildcard domain entries limits matches to the given domain and its subdirectories. For example, example.com (example.com/ after processing) matches itself and example.com/search.The trailing slash in wildcard domain entries (entries using asterisks or carets) limits matches to URLs that conform to the specified pattern. For example, to match the entry *.example.com, a URL must strictly begin with one or more subdomains and end with the root domain, example.com; news.example.com is a match, but example.com is not because it lacks a subdomain.Use the following CLI commands to enable this feature:
admin@PA-850> debug device-server append-end-token onadmin@PA-850> configureadmin@PA-850# commitTo disable this feature:admin@PA-850> debug device-server append-end-token offadmin@PA-850> configureadmin@PA-850# commitWe recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions (PAN-OS 10.2) discusses the trailing slash and matching behavior when this feature is enabled.You have to enable this feature on each firewall running PAN-OS® 10.1 or earlier. Panorama™ management servers running PAN-OS 10.2 cannot enable this feature for firewalls running PAN-OS 10.1 or earlier.
