URL Category Exception Lists

You can exclude specific websites from URL category enforcement, ensuring that these websites are blocked or allowed regardless of their associated URL category. For example, you could block a URL category but choose to allow certain sites that fall within that category. To create these kinds of exceptions to URL category enforcement:
  • Add the IP addresses or URLs of the sites you want to block or allow (regardless of their associated URL category) directly to a URL Filtering profile (
    Objects
    Security Profiles
    URL Filtering
    Overrides
    ).
  • Use an External Dynamic List in a URL Filtering profile. The benefit to using an External Dynamic List to specify the sites you want to enforce separately from their URL categories is that you can update the External Dynamic List without performing a configuration change or commit on the firewall.
The following guidelines describe how to populate URL Category block and allow lists, or a text file that you’re using as the source of an External Dynamic List for URLs:

Basic Guidelines For URL Category Exception Lists

  • Enter the IP addresses or URLs of websites that you want to enforce separately from the associated URL category.
  • List entries must be an exact match and are case-insensitive.
  • You can enter a string that is an exact match to the website (and possibly, specific subdomain) for which you want to control access, or you can use wildcard characters to allow an entry to match to multiple website subdomains. For details on using wildcard characters, review Wildcard Guidelines for URL Category Exception Lists.
  • Omit
    http
    and
    https
    from URL entries.

Wildcard Guidelines for URL Category Exception Lists

You can use wildcards in URL Category exception lists to easily configure a single entry to match to multiple website subdomains and pages, without having to specify exact subdomains and pages.
Follow these guidelines when creating wildcard entries:
  • The following characters are considered token separators: . / ? & = ; +
    Every string separated by one or two of these characters is a token. Use wildcard characters as token placeholders, indicating that a specific token can contain any value.
  • In place of a token, you can use either an asterisk (*) or a caret (^) to indicate a wildcard value.
  • Wildcard characters must be the only character within a token; however, an entry can contain multiple wildcards.
When to use asterisk (*) wildcards:
Use an asterisk (*) wildcard to indicate one or more variable subdomains. For example, to specify enforcement for the Palo Alto Networks website regardless of the domain extension used--which might be one or two subdomains, depending on location--you would add this entry:
www.paloaltonetworks.*
. This entry would match to both www.paloaltonetworks.com and www.paloaltonetworks.co.uk.
When to use caret (^) wildcards:
Use caret (^) wildcards to indicate one variable subdomain. They may also be helpful when targeting an exact number of subdomains for enforcement. For example,
mail.^.com
only matches to URLs like
mail.company.com
. This entry wouldn’t match to a site like
mail.company.sso.com
, where the URL includes an additional subdomain.
Do not create an entry with consecutive asterisk (*) wildcards or more than nine consecutive caret (^) wildcards—entries like these can affect firewall performance.
For example, do not add an entry like
mail.*.*.com
; instead, depending on the range of websites you want to control access to, enter
mail.*.com
or
mail.^.^.com
. An entry like
mail.*.com
matches to a greater number of sites than
mail.^.^.com
;
mail.*.com
matches to sites with any number of subdomains and
mail.^.^.com
matches to sites with exactly two subdomains.

URL Category Exception List—Wildcard Examples

The following table lists examples of URL exception list entries using wildcards, and examples of the sites that these entries match to.
URL Exception List Entry
Matching Sites
Example Set 1
*.company.com
eng.tools.company.com
support.tools.company.com
tools.company.com
docs.company.com
^.company.com
tools.company.com
docs.company.com
^.^.company.com
eng.tools.company.com
support.tools.company.com
Example Set 2
mail.google.*
mail.google.com
mail.google.co.uk
mail.google.^
mail.google.com
mail.google.^.^
mail.google.co.uk
Do not create an entry with consecutive asterisk (*) wildcards or more than nine consecutive caret (^) wildcards—entries like these can affect firewall performance.
For example, do not add an entry like
mail.*.*.com
; instead, depending on the range of websites you want to control access to, enter
mail.*.com
or
mail.^.^.com
. An entry like
mail.*.com
matches to a greater number of sites than
mail.^.^.com
;
mail.*.com
matches to sites with any number of subdomains and
mail.^.^.com
matches to sites with exactly two subdomains.

Related Documentation