A Security policy can include specification of a URL filtering profile that blocks access to specific web sites and web site categories, enforces safe search, or generates an alert when the specified web sites are accessed (a URL filtering license is required). You can also define a block list of web sites that are always blocked (or generate alerts) and an allow list of web sites that are always allowed.
To apply URL filtering profiles to security policies, refer to Policies > Security. To create custom URL categories with your own lists of URLs, refer to Objects > Custom Objects > URL Category.
The following tables describe the URL filtering profile settings.
URL Filtering Profile Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of URL filtering profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description Enter a description for the profile (up to 255 characters).
Shared Select this option if you want the profile to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Categories
Action on License Expiration ( Configurable for BrightCloud only ) Select the action to take if the URL filtering license expires: Block —Blocks access to all web sites. Allow —Allows access to all web sites. If you are using the BrightCloud database and you set this option to Block upon license expiration, all URLs will be blocked, not just the URL categories that are set to block. If you set to Allow, all URLs will be allowed. If the license expires for PAN-DB, URL filtering is not enforced: URL categories that are currently in cache will be used to either block or allow content based on your configuration. Using cached results is a security risk because the categorization information might be stale. URLs that are not in the cache will be categorized as not-resolved and will be allowed. Always renew your license in time to ensure network security.
Block List If you would like to use an External Dynamic List to dynamically update (without a commit) the list of URLs that you wish to block, see Objects > External Dynamic Lists. Enter the IP addresses or URL path names of the web sites that you want to block or generate alerts on. Enter each URL one per line. You must omit the “http and https” portion of the URLs when adding web sites to the list. Entries in the block list are an exact match and are case-insensitive. For example, "www.paloaltonetworks.com” is different from "paloaltonetworks.com". If you want to block the entire domain, you should include both "*.paloaltonetworks.com" and "paloaltonetworks.com". Examples: www.paloaltonetworks.com 198.133.219.25/en/US Block and allow lists support wildcard patterns. The following characters are considered separators: . / ? & = ; + Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid: *.yahoo.com (Tokens are: "*", "yahoo" and "com") www.*.com (Tokens are: "www", "*" and "com") www.yahoo.com/search=* (Tokens are: "www", "yahoo", "com", "search", "*") The following patterns are invalid because the character “*” is not the only character in the token. ww*.yahoo.com www.y*.com
Action Select the action to take when a web site in the block list is accessed. alert —Allow the user to access the web site, but add an alert to the URL log. block —Block access to the web site. continue —Allow the user to access the blocked page by clicking Continue on the block page. override —Allow the user to access the blocked page after entering a password. The password and other override settings are specified in the URL Admin Override area of the Settings page (refer to the Management Settings table in Device > Setup > Management).
Allow List If you would like to use an External Dynamic List to dynamically update (without a commit) the list of URLs that you wish to allow, see Objects > External Dynamic Lists Enter the IP addresses or URL path names of the web sites that you want to allow or generate alerts on. Enter each IP address or URL one per line. You must omit the “http and https” portion of the URLs when adding web sites to the list. Entries in the allow list are an exact match and are case-insensitive. For example, "www.paloaltonetworks.com” is different from "paloaltonetworks.com". If you want to allow the entire domain, you should include both "*.paloaltonetworks.com" and "paloaltonetworks.com". Examples: www.paloaltonetworks.com 198.133.219.25/en/US Block and allow lists support wildcard patterns. The following characters are considered separators: . / ? & = ; + Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid: *.yahoo.com (Tokens are: "*", "yahoo" and "com") www.*.com (Tokens are: "www", "*" and "com") www.yahoo.com/search=* (Tokens are: "www", "yahoo", "com", "search", "*") The following patterns are invalid because the character “*” is not the only character in the token. ww*.yahoo.com www.y*.com This list takes precedence over the selected web site categories.
Category/Action In addition to the predefined categories, both custom URL categories and external dynamic lists of type URL are displayed under Category. By default, the action for all categories is set to Allow. For each category, select the action to take when a URL in that category is accessed. alert —Allows access to the web site but adds an alert to the URL log each time a user accesses the URL. allow —Allows access to the web site. block —Blocks access to the web site. continue —Displays a response page. To access the web site, the user must click Continue on the response page. override —Displays a response page that prompts the user to enter a password. The override option restricts access to users with a valid password. Configure URL Admin Override settings ( Device > Setup > Content ID) to manage password and other override settings. (See also the Management Settings table in Device > Setup > Content-ID). The Continue and Override pages will not be displayed properly on client machines that are configured to use a proxy server. none ( custom URL category only )—If you have created custom URL categories, set the action to none to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to none gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to none in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.
Check URL Category Click to access the web site where you can enter a URL or IP address to view categorization information.
Dynamic URL Filtering Default: Disabled ( Configurable for BrightCloud only ) With PAN-DB, this option is enabled by default and is not configurable. Select to enable cloud lookup for categorizing the URL. This option is invoked if the local database is unable to categorize the URL. If the URL is unresolved after a 5 second timeout window, the response is displays as “Not resolved URL.”
Settings
Log container page only Default: Enabled Select this option to log only the URLs that match the content type that is specified.
Enable Sa fe Search Enforcement Default: Disabled A URL filtering license is not required to use this feature. Select this option to enforce strict safe search filtering. When enabled, this option will prevent users who are searching the Internet using one of the following search providers—Bing, Google, Yahoo, Yandex, or YouTube—from viewing the search results unless the strictest safe search option is set in their browsers for these search engines. If a user performs a search using one of these search engines and their browser or search engine account setting for safe search is not set to strict, the search results will be blocked (depending on the action set in the profile) and the user will be prompted to set their safe search setting to strict. If you are performing a search on Yahoo Japan (yahoo.co.jp) while logged into your Yahoo account, the lock option for the search setting must also be enabled. To enforce safe search, the profile must be added to a Security policy. And, to enable safe search for encrypted sites (HTTPS), the profile must be attached to a decryption policy. The ability of the firewall to detect the safe search setting within these three providers will be updated using the Applications and Threats signature update. If a provider changes the safe search setting method that Palo Alto Networks uses to detect the safe search settings, an update will be made to the signature update to ensure that the setting is detected properly. Also, the evaluation to determine whether a site is judged to be safe or unsafe is performed by each search provider, not Palo Alto Networks. To prevent users from bypassing this feature by using other search providers, configure the URL filtering profile to block the search-engines category and then allow access to Bing, Google, Yahoo, Yandex, and YouTube. Refer to the PAN-OS 7.1 Administrator’s Guide for more information.
HTTP Header Logging Enabling HTTP Header Logging provides visibility into the attributes included in the HTTP request sent to a server. When enabled one or more of the following attribute-value pairs are recorded in the URL Filtering log: User-Agent—The web browser that the user used to access the URL. This information is sent in the HTTP request to the server. For example, the User-Agent can be Internet Explorer or Firefox. The User-Agent value in the log supports up to 1024 characters. Referer—The URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested. The referer value in the log supports up to 256 characters. X-Forwarded-For—The header field option that preserves the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is particularly useful if you have a proxy server on your network or you have implemented Source NAT, that is masking the user’s IP address such that all requests seem to originate from the proxy server’s IP address or a common IP address. The x-forwarded-for value in the log supports up to 128 characters.

Related Documentation