Advanced URL Filtering
Create a Custom URL Category
Table of Contents
Create a Custom URL Category
Create a custom URL category that functions as either
a URL category exception list or a distinct category based on multiple
PAN-DB categories.
Where can I use
this? | What do I need? |
---|---|
|
Notes:
|
You can create a custom URL category to define
exceptions to URL category enforcement or define a new URL category from multiple
categories.
Define Exceptions to URL Category Enforcement (URL
List)
Specify a list of URLs (grouped under a single custom category) that you
wish to enforce independently of their predefined URL categories. You can control
access to this category in a URL Filtering profile that you apply to Security policy
rules or use the category as match criteria in Security policy rules. For example,
you can block the
social-networking
category but allow
access to LinkedIn.Define a Custom URL Category Based on Multiple PAN-DB
Categories (Category Match)
Create a new category to target enforcement for
websites or pages that match all of the categories defined as part of
the custom category. For example, PAN-DB might classify a developer blog that your
engineers use for research as
personal-sites-and-blogs
,
computer-and-internet-info
, and
high-risk
. To allow the engineers to access the
blog and similar websites and
gain visibility into these websites, you can
create a custom URL category based on the three categories and set site access for
the category to alert in a URL Filtering profile.PAN-DB evaluates URLs against custom URL categories before external dynamic lists
and predefined URL categories. Accordingly, the firewall enforces the Security
policy rules for a URL in a custom URL list over the policy rules associated
with the individual URL categories it exists in.
If multiple Security policy rules include a custom URL category, then the
firewall enforces the Security policy rule with the strictest URL Filtering
profile action for the matching traffic.
Cloud Managed
If you’re using Panorama to manage
Prisma Access
:Toggle over to the
PAN-OS & Panorama
tab and follow the guidance
there.If you’re using
Strata Cloud Manager
, continue here.- Select.ManageConfigurationSecurity ServicesURL Access ManagementAccess Control
- Under Custom URL Categories, selectAdd Category.Enter a descriptiveNamefor the category.
- Set the custom URL categoryTypeto eitherURL ListorCategory Match.
- URL List—Use this list type to add URLs that you want to enforce differently than the URL category to which they belong or to define a list of URLs as belonging to a custom category. Consult the Guidelines for URL Category Exceptions as you create URL list entries.
- Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
- UnderItems,Addeither URLs or existing categories.
- Savethe custom URL category.
- Define Site Access and User Credential Submissions settings for the custom URL category.
- Select.ManageConfigurationSecurity ServicesURL Access ManagementURL Access Management Profiles
- Select an existing profile to modify or clickAdd Profile.
- Under Access Control, select the custom URL category you created earlier. It sits underCustom URL Categoriesand abovePre-Defined Categories.
- SetSite Accessfor the category.
- SetUser Credential Submissionsfor the category.
- Savethe profile.
- Apply the URL Access Management profile to a Security policy rule.A URL Access Management profile is only active when it’s included in a profile group that a Security policy rule references.Follow the steps to activate a URL Access Management profile (and any Security profile). Be sure toPush Config.You can also use custom URL categories as Security policy rule match criterion. In this scenario, you do not define site access for the URL category in a URL Filtering profile. Instead, after creating a custom URL category, select the Security policy rule you want to add the custom URL category to (). UnderManageConfigurationSecurity ServicesSecurity PolicyApplications, Services and URLsand URL Category Entities, clickAdd URL Categories. Select the custom URL category you created, and thenSavethe Security policy rule.
PAN-OS & Panorama
- Select.ObjectsCustom ObjectsURL Category
- Addor modify a custom URL category, and give the category a descriptiveName.
- Set the categoryTypeto eitherCategory MatchorURL List:
- URL List—Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions to URL category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.By default, the firewall automatically appends a trailing slash (/) to domain entries (example.com) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example,example.com(example.com/after processing) matches itself andexample.com/search.In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry*.example.com, a URL must strictlybeginwith one or more subdomains and end with the root domain,example.com;news.example.comis a match, butexample.comis not because it lacks a subdomain.We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions discusses the trailing slash and matching behavior in further detail.To disable this feature, go to. Then, deselectDeviceSetupContent-IDURL FilteringAppend Ending Token. If you disable this feature, you may block or allow access to more URLs than intended. URL Category Exceptions (PAN-OS 10.1 and earlier) describes the firewall’s behavior when this feature is disabled.
- Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
- ClickOKto save the custom URL category.
- SelectandObjectsSecurity ProfilesURL FilteringAddor modify a URL Filtering profile.Your new custom category displays underCustom URL Categories:
- Decide how you want to enforceSite AccessandUser Credential Submissionsfor the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
- Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.Selectand specify the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure toPoliciesSecurityActionsCommityour changes.You can also use custom URL categories as Security policy rule match criteria. In this case, you do not define site access for the URL category in a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (). Then, selectPoliciesSecurityService/URL Categoryto use the custom URL category as match criteria for the rule.