Test URL Filtering Configuration
Table of Contents
Test URL Filtering Configuration
Follow these steps to verify that Palo Alto Networks
URL Filtering services categorize and enforce policy on URLs as
expected.
To test your URL Filtering and Advanced URL
Filtering policy configurations, use Palo Alto Networks URL Filtering Test Pages.
Test pages have been created for the safe testing of all predefined URL categories,
including real-time-detection categories applicable only to firewalls
running advanced URL filtering.
You must enable SSL decryption
for test pages to work over an HTTPS connection.
Advanced
URL filtering test pages contain “real-time-detection” in the URL
and confirm that firewalls correctly categorize and analyze malicious
URLs in real-time. They do not verify firewall behavior for all
other categories.
You can check
the classification of a specific website using Palo Alto Networks
URL category lookup tool, Test A Site.
Follow
the procedure corresponding to your URL Filtering subscription:
Verify URL Filtering
If you have the legacy URL Filtering subscription,
follow the steps below to test and verify that the firewall correctly
categorizes, enforces, and logs URLs in the categories that you
access.
- Access a website in the URL category of interest.Consider testing sites in blocked URL categories. You can use a test page (urlfiltering.paloaltonetworks.com/test-<url-category>) to avoid directly accessing a site. For example, to test your block policy for malware, visit https://urlfiltering.paloaltonetworks.com/test-malware.
- Verify that your firewall processes the site correctly.For example, if you configured a block page to display when someone accesses a site that violates your organization’s policy, check that one appears when you visit the test site.
- Review the Traffic and URL Filtering logs () to confirm that the URLs have been properly categorized and the correct policy rule is logged.
Verify Advanced URL Filtering
If you have an Advanced URL Filtering subscription,
follow the steps below to test and verify that real-time URL analysis
is happening.
Palo Alto Networks recommends setting
the real-time-detection action setting to alert for your active
URL filtering profiles. This provides visibility into URLs analyzed in
real-time and will block (or allow, depending on your policy settings)
based on the category settings configured for specific web threats.
The
firewall enforces the most severe action of the actions configured
for detected URL categories of a given URL. For example, suppose
example.com is categorized as real-time-detection, command-and-control,
and shopping—categories with an alert, block, and allow action configured,
respectively. The firewall will block the URL because block is the most
severe action from the detected categories.
- Verify that URLs are being analyzed and categorized
using the advanced URL Filtering service.
- Visit each of the following test URLs to
verify that the advanced URL Filtering service is properly categorizing
URLs:
- Benign (unknown)—urlfiltering.paloaltonetworks.com/test-real-time-detection
- Monitor the activity on the firewall to verify that
the tested URLs have been properly categorized as real-time-detection.
- Select and filter by (url_category_list contains real-time-detection) to view logs that have been analyzed using advanced URL filtering. Additional web page category matches are also displayed and corresponds to the categories as defined by PAN-DB.
![]()
- Take a detailed look at the logs to verify that each type of web threat is correctly analyzed and categorized. In the example below, the URL is categorized as having been analyzed in real-time, and, additionally, as possessing qualities that define it as command and control. Because C&C has a more severe action compared to real-time-detection (block as opposed to alert), this URL has been categorized as command and control and has been blocked.
![]()
- Visit each of the following test URLs to
verify that the advanced URL Filtering service is properly categorizing
URLs:
