URL Category as Policy Match Criteria
Use URL
Categories as a match criteria in a policy rule for more
granular enforcement. For example, suppose you have configured Decryption,
but you want to exclude traffic to certain types of websites (for
example, healthcare or financial services) from being decrypted.
In this case you could create a decryption policy rule that matches
those categories and set the action to no-decrypt. By placing this
rule above the rule to decrypt all traffic, you can ensure that
web traffic with URL categories that match the no-decrypt rule,
and all other traffic would match the subsequent rule.
The following table describes the policy types that accept URL
category as match criteria:
Policy Type | Description |
|---|---|
Authentication | To ensure that users authenticate before
being allowed access to a specific category, you can attach a URL
category as a match criterion for Authentication policy rules. |
Decryption | Decryption policies can use URL categories
as match criteria to determine if specified websites should be decrypted
or not. For example, if you have a decryption policy with the action
decrypt for all traffic between two zones, there may be specific
website categories, such as financial-services and/or health-and-medicine,
that should not be decrypted. In this case, you would create a new
decryption policy with the action of no‑decrypt that
precedes the decrypt policy and then defines a list of URL categories
as match criteria for the policy. By doing this, each URL category
that is part of the no-decrypt policy will not be decrypted. You
could also configure a custom URL category to define your own list
of URLs that can then be used in the no-decrypt policy. |
QoS | QoS policies can use URL categories to allocate
throughput levels for specific website categories. For example,
you may want to allow the streaming-media category, but limit throughput
by adding the URL category as match criteria to the QoS policy. |
Security | In security policies you can use URL categories
both as a match criteria in the Service/URL Category tab,
and in URL filtering profiles that are attached in the Actions tab. If
for example, the IT-security group in your company needs access
to the hacking category, while all other users are denied access
to the category, you must create the following rules:
|
Related Documentation
Use Case: Use URL Categories for Policy Matching
Use Case: Use URL Categories for Policy Matching You can also use URL categories as match criteria in the following policy types: Authentication, Decryption, Security, ...
Interaction Between App-ID and URL Categories
Interaction Between App-ID and URL Categories The Palo Alto Networks URL filtering solution in combination with App-ID provides unprecedented protection against a full spectrum of ...
URL Categories
URL Categories Each website defined in the URL filtering database is assigned a URL category. Here are a few ways to leverage URL categories: Block ...
URL Filtering Categories
URL Filtering Categories Objects > Security Profiles > URL Filtering > Categories The following table describes URL filtering category settings. Categories Settings Description Category In ...
Create a Policy-Based Decryption Exclusion
Exclude traffic that you choose not to decrypt for legal, privacy, or business reasons from decryption to comply with those policies while still applying SSL ...
Decryption Service/URL Category Tab
Decryption Service/URL Category Tab Select the Service/URL Category tab to apply the decryption policy to traffic based on TCP port number or to any URL ...
Components of a Security Policy Rule
Components of a Security Policy Rule The Security policy rule construct permits a combination of the required and optional fields as detailed in the following ...
Block Search Results when Strict Safe Search is not Enabled
Block Search Results when Strict Safe Search is not Enabled By default, when you enable safe search enforcement, when a user attempts to perform a ...