1. Home
    2. PAN-OS
    3. PAN-OS® Administrator's Guide
    4. URL Filtering
    5. URL Filtering Concepts
    6. URL Category as Policy Match Criteria

    URL Category as Policy Match Criteria

    Use URL Categories as a match criteria in a policy rule for more granular enforcement. For example, suppose you have configured Decryption, but you want to exclude traffic to certain types of websites (for example, healthcare or financial services) from being decrypted. In this case you could create a decryption policy rule that matches those categories and set the action to no-decrypt. By placing this rule above the rule to decrypt all traffic, you can ensure that web traffic with URL categories that match the no-decrypt rule, and all other traffic would match the subsequent rule.
    The following table describes the policy types that accept URL category as match criteria:
    Policy Type
    Description
    Authentication
    To ensure that users authenticate before being allowed access to a specific category, you can attach a URL category as a match criterion for Authentication policy rules.
    Decryption
    Decryption policies can use URL categories as match criteria to determine if specified websites should be decrypted or not. For example, if you have a decryption policy with the action decrypt for all traffic between two zones, there may be specific website categories, such as
    financial-services
     and/or
    health-and-medicine
    , that should not be decrypted. In this case, you would create a new decryption policy with the action of
    no‑decrypt
     that precedes the decrypt policy and then defines a list of URL categories as match criteria for the policy. By doing this, each URL category that is part of the no-decrypt policy will not be decrypted. You could also configure a custom URL category to define your own list of URLs that can then be used in the no-decrypt policy.
    QoS
    QoS policies can use URL categories to allocate throughput levels for specific website categories. For example, you may want to allow the streaming-media category, but limit throughput by adding the URL category as match criteria to the QoS policy.
    Security
    In security policies you can use URL categories both as a match criteria in the
    Service/URL Category
     tab, and in URL filtering profiles that are attached in the
    Actions
     tab.
    If for example, the IT-security group in your company needs access to the hacking category, while all other users are denied access to the category, you must create the following rules:
    • A Security policy rule that allows the IT-Security group to access content categorized as hacking. The Security policy rule references the
      hacking
       category in the S
      ervices/URL Category
       tab and IT-Security group in the
      Users
       tab.
    • Another Security policy rule that allows general web access for all users. To this rule you attach a URL filtering profile that blocks the hacking category.
    The policy that allows access to hacking must be listed before the policy that blocks hacking. This is because security policy rules are evaluated top down, so when a user who is part of the security group attempts to access a hacking site, the policy rule that allows access is evaluated first and will allow the user access to the hacking sites. Users from all other groups are evaluated against the general web access rule which blocks access to the hacking sites.

    Related Documentation

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo