Each website defined in the URL filtering database is assigned one of approximately 60 different URL categories. There are two ways to make use of URL categorization on the firewall:
Block or allow traffic based on URL category
—You can create a URL Filtering profile that specifies an action for each URL category and attach the profile to a policy. Traffic that matches the policy would then be subject to the URL filtering settings in the profile. For example, to block all gaming websites you would set the block action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web access. See
Configure URL Filtering for more information.
Match traffic based on URL category for policy enforcement
—If you want a specific policy rule to apply only to web traffic to sites in a specific category, you would add the category as match criteria when you create the policy rule. For example, you could use the URL category
in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media. See
URL Category as Policy Match Criteria for more information.
By grouping websites into categories, it makes it easy to define actions based on certain types of websites. In addition to the standard URL categories, there are three additional categories:
Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL; if no match is found, it checks the management plane cache, and if no match is found there, it queries the URL database in the cloud. In the case of the PAN-DB private cloud, the URL database in the cloud is not used for queries.
Setting the action to block for traffic that is categorized as not-resolved, may be very disruptive to users. You could set the action as
continue, so that users you can notify users that they are accessing a site that is blocked by company policy and provide the option to read the disclaimer and continue to the website.
For more information on troubleshooting lookup issues, see
Troubleshoot URL Filtering.
Indicates that the website is a single domain (no sub-domains), the IP address is in the private IP range, or the URL root domain is unknown to the cloud.
The website has not yet been categorized, so it does not exist in the URL filtering database on the firewall or in the URL cloud database.
When deciding on what action to take for traffic categorized as unknown, be aware that setting the action to block may be very disruptive to users because there could be a lot of valid sites that are not in the URL database yet. If you do want a very strict policy, you could block this category, so websites that do not exist in the URL database cannot be accessed.
Palo Alto Networks collects the list of URLs from the unknown category and processes them to determine the URL category. These URLs are processed automatically, everyday, provided the websites has machine readable content that is in a supported format and language. Upon categorization, the updated category information is made available to all PAN-DB customers.
Configure URL Filtering.
You can submit URL categorization change requests using the Palo Alto Networks dedicated web portal ( Test A Site), the URL filtering profile setup page on the firewall, or the URL filtering log on the firewall. Each change request is automatically processed everyday, provided the websites provides machine readable content that is in a supported format and language. Sometimes, the categorization change requires a member of the Palo Alto Networks engineering staff to perform a manual review. In such cases, the process may take a little longer.
URL Category as Policy Match Criteria Use URL Categories as a match criteria in a policy rule for more granular enforcement. For example, suppose you ...
Determine URL Filtering Policy Requirements
Determine URL Filtering Policy Requirements The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile ...
Troubleshoot URL Filtering
Troubleshoot URL Filtering The following topics provide troubleshooting guidelines for diagnosing and resolving common URL filtering problems. Problems Activating PAN-DB PAN-DB Cloud Connectivity Issues URLs ...
Use Case: Use URL Categories for Policy Matching
Use Case: Use URL Categories for Policy Matching You can also use URL categories as match criteria in the following policy types: Captive Portal, Decryption, ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
URL Filtering Profile
URL Filtering Profile A URL filtering profile is a collection of URL filtering controls that are applied to individual security policy rules to enforce your ...
Objects > Security Profiles > URL Filtering
Objects > Security Profiles > URL Filtering A Security policy can include specification of a URL filtering profile that blocks access to specific web sites ...
PAN-DB Categorization PAN-DB URL Categorization Components PAN-DB URL Categorization Workflow PAN-DB URL Categorization Components The following table describes the PAN-DB components in detail. The BrightCloud ...