1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference
    4. Objects
    5. Objects > Security Profiles > URL Filtering
    6. URL Filtering Categories
    End-of-Life (EoL)

    URL Filtering Categories

    Select
    Objects
    Security Profiles
    URL Filtering
    Categories
     to control access to websites based on URL categories.
    Attach a URL Filtering profile to all Security policy rules that allow access to web-based applications to protect against URLs that have been observed to host malware or exploitive content.
    Categories Settings
    Description
    Category
    In addition to the predefined categories, both custom URL categories and external dynamic lists of type URL are displayed under
    Category
    . By default, the
    Site Access
     and
    User Credential Submission
     permissions for all categories are set to
    Allow
    .
    Block
     all known dangerous URL categories, including command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, newly-registered-domain, grayware, and parked to protect against exploit infiltration, malware download, command-and-control activity, and data exfiltration.
    To phase in a block policy, set categories to
    continue
     and create a custom response page to educate users about your use policy and alert them that they are visiting a site that may pose a threat. After a suitable period of time, transition to a policy that blocks the potentially malicious sites.
    Site Access
    For each URL category, select the action to take when a user attempts to access a URL in that category (
    Site Access
    ):
    • alert
      —Allows access to the web site but adds an alert to the URL log each time a user accesses the URL.
      Set
      alert
       as the Action for categories of traffic you don’t block to log and provide visibility into the traffic.
    • allow
      —Allows access to the web site but doesn’t log traffic.
      Because
      allow
       doesn’t log unblocked traffic, set
      alert
       as the Action for categories of traffic you don’t block to log and provide visibility into that traffic.
    • block
      —Blocks access to the web site. If the Site Access to a URL category is set to block, the User Credential Submission permissions is automatically also set to block.
    • continue
      —Displays a page to users that to warn them against continuing to access the page. To access the web site, the user must click
      Continue
      .
    The Continue pages will not be displayed properly on client machines that are configured to use a proxy server.
    • override
      —Displays a response page that prompts the user to enter a valid password in order to gain access to the site. Configure URL Admin Override settings (
      Device
      Setup
      Content ID
      ) to manage password and other override settings. (See also the Management Settings table in Device > Setup > Content-ID).
    The Override pages will not be displayed properly on client machines that are configured to use a proxy server.
    • none
       (
      custom URL category only
      )—If you have created custom URL categories, set the action to
      none
       to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to
      none
       gives you the flexibility to ignore custom categories in a URL filtering profile, while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to
      none
       in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.
    User Credential Submission
    For each URL category, select the
    User Credential Submissions
     to allow or disallow users from submitting valid corporate credentials to a URL in that category. Before you can control user credential submissions based on URL category, you must enable credential submission detection (select the
    User Credential Detection
     tab).
    URL categories with the
    Site Access
     set to block are automatically set to also block user credential submissions.
    • alert
      —Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this category.
    • allow
       (default)—Allow users to submit credentials to the website.
    • block
      —Block users from submitting credentials to the website. A default anti-phishing response page blocks user credential submissions.
    • continue
      —Display a response page to users that prompts them to select Continue to submit credentials to the site. By default, an anti-phishing continue page displays to warn users when they attempt to submit credentials to sites to which credential submissions are discouraged. You can choose to create a custom response page to warn users against phishing attempts or to educate them against reusing valid corporate credentials on other websites.
    Check URL Category
    Click to access the PAN-DB URL Filtering database, where you can enter a URL or IP address to view categorization information.
    Dynamic URL Filtering
    Default: Disabled
    (
    Configurable for BrightCloud only
    )
    Select to enable cloud lookup for categorizing the URL. This option is invoked if the local database is unable to categorize the URL.
    If the URL is unresolved after a 5 second timeout window, the response is displayed as
    Not resolvedURL
    .
    With PAN-DB, this option is enabled by default and is not configurable.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo