URL Filtering Overrides

  • Objects > Security Profiles > URL Filtering > Overrides
The following table describes URL filtering override settings.
Overrides Settings
Description
Action on License Expiration
With BrightCloud:
If you are using the BrightCloud database, you can configure the action to take if the URL filtering license expires:
  • Block—Blocks access to all web sites. Upon license expiration, all URLs are blocked, not just the URL categories previously set to block.
  • Allow—Allows access to all web sites. Upon license expiration, all URLs are allowed, not just the URL categories set to allow.
With PAN-DB:
If the license expires for PAN-DB, URL filtering is not enforced:
  • URL categories that are currently in the cache will be used to either block or allow content based on your configuration. Using cached results is a security risk because the categorization information might be stale.
  • URLs that are not in the cache will be categorized as not-resolved and will be allowed.
Always renew your license in time to ensure network security.
Allow List
If you would like to use an External Dynamic List to dynamically update the list of URLs that you wish to allow (without a commit), see Objects > External Dynamic Lists
Enter the IP addresses or URL path names of the web sites that you want to allow or generate alerts on. Enter each IP address or URL one per line.
You must omit the “http and https” portion of the URLs when adding web sites to the list.
Entries in the allow list are an exact match and are case-insensitive. For example, "www.paloaltonetworks.com” is different from "paloaltonetworks.com". If you want to allow the entire domain, you should include both "*.paloaltonetworks.com" and "paloaltonetworks.com".
Examples:
  • www.paloaltonetworks.com
  • 198.133.219.25/en/US
Block and allow lists support wildcard patterns. The following characters are considered separators:
./?&=;+
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
*.yahoo.com  
(Tokens are: "*", "yahoo" and "com") 
www.*.com  
(Tokens are: "www", "*" and "com") 
www.yahoo.com/search=*  
(Tokens are: "www", "yahoo", "com", "search", "*") 
The following patterns are invalid because the character “*” is not the only character in the token.
ww*.yahoo.comwww.y*.com
This list takes precedence over the selected web site categories.
Block List
If you would like to use an External Dynamic List to dynamically update the list of URLs that you wish to block (without a commit), see Objects > External Dynamic Lists.
Enter the IP addresses or URL path names of the web sites that you want to block or generate alerts on. Enter each URL one per line.
You must omit the “http and https” portion of the URLs when adding web sites to the list.
Entries in the block list are an exact match and are case-insensitive. For example, "www.paloaltonetworks.com” is different from "paloaltonetworks.com". If you want to block the entire domain, you should include both "*.paloaltonetworks.com" and "paloaltonetworks.com".
Examples:
  • www.paloaltonetworks.com
  • 198.133.219.25/en/US
Block and allow lists support wildcard patterns. The following characters are considered separators:
./?&=;+
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
*.yahoo.com  
(Tokens are: "*", "yahoo" and "com") 
www.*.com  
(Tokens are: "www", "*" and "com") 
www.yahoo.com/search=*  
(Tokens are: "www", "yahoo", "com", "search", "*") 
The following patterns are invalid because the character “*” is not the only character in the token.
ww*.yahoo.comwww.y*.com
Action
Select the action to take when a web site in the block list is accessed.
  • alert—Allow the user to access the web site, but add an alert to the URL log.
  • block—Block access to the web site.
  • continue—Allow the user to access the blocked page by clicking Continue on the block page.
  • override—Allow the user to access the blocked page after entering a password. The password and other override settings are specified in the URL Admin Override area of the Settings page (refer to the Management Settings table in Device > Setup > Management).

Related Documentation