URL Category Exception Lists

You can create URL category exception lists to allow access to specific URLs in a blocked category or block specific URLs in an allowed category.
You can exclude specific websites from URL category enforcement, ensuring that these websites are blocked or allowed regardless of the policy action associated with its URL categories. For example, you might block the social-networking URL category but allow access to LinkedIn. To create exceptions to URL category policy enforcement:
  • Add the IP addresses or URLs of the sites you want to block or allow (regardless of their associated URL category) directly to a URL Filtering profile (
    Objects
    Security Profiles
    URL Filtering
    Overrides
    ).
  • Use an external dynamic list in a URL Filtering profile or as match criteria in a Security policy rule. The benefit to using an external dynamic list is that you can update the list without performing a configuration change or commit on the firewall.
  • Create a Security policy rule that excludes the site or application in a particular URL category from policy enforcement. Place the exception rule above the rule that allows or blocks the URL category to which the URL exception belongs.
The following guidelines describe how to populate URL category block and allow lists, or a text file that you’re using as the source of an external dynamic list for URLs:

Basic Guidelines For URL Category Exception Lists

  • Enter the IP addresses or URLs of websites that you want to enforce separately from the associated URL category.
  • List entries must be an exact match and are case-insensitive.
  • You can enter a string that is an exact match to the website (and possibly, specific subdomain) for which you want to control access, or you can use wildcard characters to allow an entry to match to more than one website subdomain. For details on using wildcard characters, review Wildcard Guidelines for URL Category Exception Lists.
  • Omit
    http
    and
    https
    from URL entries.
  • Each URL entry can be up to 255 characters in length.
  • Palo Alto Networks URL Filtering does not support regex for matching characters. For example, if you wanted to block all domain names that contain numbers (e.g. jump123.com), you would have to specify each of the URLs you wanted to block or allow in an override list.
    If you are able to access blocked sites or cannot access allowed sites, check the URL Filtering logs to see how the site was logged. You can try adding the URL to the block or allow list in the format shown in the logs. Otherwise, review your entries against the guidelines below.

Wildcard Guidelines for URL Category Exception Lists

You can use wildcards in URL category exception lists to easily configure a single entry to match to multiple website subdomains and pages, without having to specify exact subdomains and pages.
Follow these guidelines when creating wildcard entries:
  • The following characters are considered token separators: . / ? & = ; +
    Every string separated by one or two of these characters is a token. Use wildcard characters as token placeholders, indicating that a specific token can contain any value.
  • In place of a token, you can use either an asterisk (*) or a caret (^).
  • Wildcard characters must be the only character within a token. For example, www.gmail*.com would be invalid because the asterisk follows other characters. An entry can contain multiple wildcards, however.

How to Use Asterisk (*) and Caret (^) Wildcards

You can use either
*
and
^
as wildcards in your custom categories and URL EDLs, but you cannot use both at the same time. This means that if you use
*
to represent a wildcard in one custom category or URL EDL, you must use
*
as the wildcard in every other custom category or URL EDL in your configuration—you can no longer use
^
. For example, you cannot have one custom category or EDL that contains
^.foo.com
and a separate custom category or URL EDL that contains
www.xyz.com/*
.
For details about how to use each wildcard, see below:
*
Use to indicate one or more variable subdomains. If you use
*
, the entry will match any additional subdomains at the beginning and the end of the URL.
Use a forward slash at the end of the entry if you do not want to match any additional subdomains beyond that point.
Ex:
  • *.paloaltonetworks.com
    matches www.paloaltonetworks.com, www.urlfiltering.paloaltonetworks.com, and www.paloaltonetworks.com.uk.
  • *.paloaltonetworks.com/
    matches www.paloaltonetworks.com and www.urlfiltering.paloaltonetworks.com but not www.paloaltonetworks.com.uk.
^
Use to indicate one variable subdomain.
Ex:
mail.^.com
matches to mail.company.com but not mail.company.sso.com.
Do not create an entry with consecutive asterisk (*) wildcards or more than nine consecutive caret (^) wildcards—entries like these can affect firewall performance.
For example, do not add an entry like
mail.*.*.com
; instead, depending on the range of websites you want to control access to, enter
mail.*.com
or
mail.^.^.com
. An entry like
mail.*.com
matches to a greater number of sites than
mail.^.^.com
;
mail.*.com
matches to sites with any number of subdomains and
mail.^.^.com
matches to sites with exactly two subdomains.

URL Category Exception List—Wildcard Examples

The following tables list examples of URL exception list entries using wildcards, and examples of the sites that these entries match to.
URL Exception List Entry
Matching Sites
Example Set 1
*.company.com
eng.tools.company.com
support.tools.company.com
tools.company.com
docs.company.com
blog.company.com.uk
1234.company.com.abcd.com/url
^.company.com
tools.company.com
docs.company.com
^.^.company.com
eng.tools.company.com
support.tools.company.com
Example Set 2
mail.google.*
mail.google.com
mail.google.co.uk
1234.mail.google.co.uk
mail.google.^
mail.google.com
mail.google.^.^
mail.google.co.uk
Example Set 3
site.*.com
site.a.com
site.a.b.com
site.a.b.c.com
site.^.com
mail.a.com
site.^.^.com
mail.a.b.com
site.com/*
site.com/photos
site.com/blog/2019
any site.com subdirectory

Recommended For You