URL Category Best Practices

Follow our complete best practices for enabling URL Filtering on an internet gateway firewall. To get started, you can clone the default URL Filtering profile which blocks malware, phishing, and command-and-control URL categories by default. The default URL Filtering profile also blocks the abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block these URL categories depends on your business requirements. For example, a university probably won’t want to restrict student access to most of these sites because availability is important, but a business that values security first may block some or all of them.
Here are the categories we recommend you block:
  • malware
    —Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
  • phishing
    —Known to host credential phishing pages or phishing for personal identification.
  • dynamic-dns
    —Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
  • unknown
    —Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
    PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
  • newly-registered-domains
    —Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
  • command-and-control
    —Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
  • copyright-infringement
    —Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
  • extremism
    —Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
  • proxy-avoidance-and-anonymizers
    —URLs and services often used to bypass content filtering products.
  • parked
    —Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block, you can very strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript for sites that you are alerting on.
  • Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
  • Prevent phishing attacks by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
  • Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.

Related Documentation