URL Categories
Each website defined in the URL filtering database is
assigned a URL category. Here are a few ways to leverage URL categories:
- Block or allow traffic based on URL category—You can create a URL Filtering profile that specifies an action for each URL category and attach the profile to a policy. Traffic that matches the policy would then be subject to the URL filtering settings in the profile. For example, to block all gaming websites you would set the block action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web access. See Configure URL Filtering for more information.
- Enforce policy based on URL category—If you want a specific policy rule to apply only to web traffic to sites in a specific category, use the site URL category as match criteria when you create the policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media. See URL Category as Policy Match Criteria for more information.
- Block or allow corporate credential submissions based on URL category—Prevent Credential Phishing by enabling the firewall to detect corporate credential submissions to sites, and then block or allow those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or warn them against reusing corporate credentials on non-corporate sites, and explicitly allow users submit credentials to corporate and sanctioned sites.
By grouping websites into categories, it makes it easy to define
actions based on certain types of websites. In addition to the standard
URL categories, there are three additional categories:
Category | Description |
|---|---|
not-resolved | Indicates that the website was not found
in the local URL filtering database and the firewall was unable
to connect to the cloud database to check the category. When a URL
category lookup is performed, the firewall first checks the dataplane
cache for the URL; if no match is found, it checks the management
plane cache, and if no match is found there, it queries the URL
database in the cloud. In the case of the PAN-DB private cloud,
the URL database in the cloud is not used for queries. Setting
the action to block for traffic that is categorized as not-resolved,
may be very disruptive to users. You could set the action as continue,
so that users you can notify users that they are accessing a site
that is blocked by company policy and provide the option to read
the disclaimer and continue to the website. For more information
on troubleshooting lookup issues, see Troubleshoot
URL Filtering. |
private-ip-addresses | Indicates that the website is a single domain
(no sub-domains), the IP address is in the private IP range, or
the URL root domain is unknown to the cloud. |
unknown | The website has not yet been categorized,
so it does not exist in the URL filtering database on the firewall
or in the URL cloud database. When deciding on what action
to take for traffic categorized as unknown, be aware
that setting the action to block may be very disruptive to users
because there could be a lot of valid sites that are not in the
URL database yet. If you do want a very strict policy, you could
block this category, so websites that do not exist in the URL database
cannot be accessed. Palo Alto Networks collects the list of
URLs from the unknown category and processes them to determine the
URL category. These URLs are processed automatically, everyday,
provided the websites has machine readable content that is in a
supported format and language. Upon categorization, the updated
category information is made available to all PAN-DB customers. |
You can submit URL categorization change requests using
the Palo Alto Networks dedicated web portal ( Test A Site), the URL filtering
profile setup page on the firewall, or the URL filtering log on
the firewall. Each change request is automatically processed everyday,
provided the websites provides machine readable content that is
in a supported format and language. Sometimes, the categorization
change requires a member of the Palo Alto Networks engineering staff
to perform a manual review. In such cases, the process may take
a little longer.
Related Documentation
URL Filtering Categories
URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Attach a URL Filtering profile to ...
Objects > Security Profiles > URL Filtering
Objects > Security Profiles > URL Filtering You can use URL filtering profiles to control access to web content. What are you looking for? See: ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
Determine URL Filtering Policy Requirements
Determine URL Filtering Policy Requirements The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile ...
Prevent Credential Phishing
Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...
URL Category as Policy Match Criteria
URL Category as Policy Match Criteria Use URL Categories as a match criteria in a policy rule for more granular enforcement. For example, suppose you ...
URL Filtering Overrides
URL Filtering Overrides Select Objects Security Profiles URL Filtering Overrides to define website block and allow lists, and to allow password-based access to certain sites. ...