PAN-DB classifies websites based on site content, features, and safety. A URL can have up to four categories, including risk categories (high, medium, and low), which indicate how likely it is that the site will expose you to threats.
Visit Test A Site to see how PAN-DB categorizes a URL, and to learn about all available URL categories. You can also use Test A Site to submit a URL Category change request, or you can submit the request directly in the firewall: select MonitorLogs and open the details for a log entry. Under the URL Category, you’ll see the option to submit a change request.
Read on to learn more about URL categories:
How to Leverage URL Categories
- Block or allow traffic based on URL category—You can create a URL Filtering profile that specifies an action for each URL category and attach the profile to a policy. Traffic that matches the policy is enforced based on the URL filtering settings in the profile. For example, to block all gaming websites you would set the block action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web access. See Configure URL Filtering for more.
- Enforce policy based on URL category—If you want a specific policy rule to apply only to web traffic to sites in a specific category, use the site URL category as match criteria when you create the policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media. See URL Category as Policy Match Criteria for more.
- Multi-Category URL Filtering—Every URL can have up to four categories. More granular URL categorizations means that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.For instance, you might consider certain URL categories risky to your organization, but are hesitant to block them outright as they also provide valuable resources or services (like cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories, while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content. For a URL category that you want to tightly control, set the URL Filtering profile action to alert as part of the steps to Configure URL Filtering. Then continue to follow the URL Category Best Practices: decrypt the URL category, block dangerous file downloads, and turn on credential phishing prevention.
- Block or allow corporate credential submissions based on URL category—Prevent Credential Phishing by enabling the firewall to detect corporate credential submissions to sites, and then block or allow those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or warn them against reusing corporate credentials on non-corporate sites, and explicitly allow users submit credentials to corporate and sanctioned sites.
Security-Focused URL Categories
Security-focused URL categories can help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk, but are not confirmed malicious. Websites are classified with a security-related category only so long as they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts. You cannot submit a change request for security-focused URL Categories.
|Security-Focused URL Categories|
High-risk sites include:
Default and Recommended Policy Action: Alert
Medium-risk sites include:
Default and Recommended Policy Action: Alert
Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Default Policy Action: Alert
Recommended Policy Action: Block
Newly-registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It is a best practice to block this URL category.
URL Category Best Practices
Follow our complete best practices for enabling URL Filtering on an internet gateway firewall. To get started, you can clone the default URL Filtering profile which blocks malware, phishing, and command-and-control URL categories by default. The default URL Filtering profile also blocks the abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block these URL categories depends on your business requirements. For example, a university probably won’t want to restrict student access to most of these sites because availability is important, but a business that values security first may block some or all of them.
Here are the categories that we recommend you block:
- malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
- phishing—Known to host credential phishing pages or phishing for personal identification.
- dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
- unknown—Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
- newly-registered-domains—Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
- command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
- copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
- extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
- proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
- parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block, you can very strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
- Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
- Prevent phishing attacks by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
- Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
New Security-Focused URL Categories
Use the new security-focused URL categories to implement simple security and decryption policies based on website safety, without requiring you to research and individually assess ...
Transition URL Filtering Profiles Safely to Best Practices
Apply URL Filtering profiles to allow rules to protect against risky websites and content without risking application availability. ...
Content Inspection Features
Describes all the exciting new content inspection capabilities in PAN-OS® 9.0. ...
URL Filtering Categories
URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Categories Settings Description Category Displays the ...
Multi-Category URL Filtering
PAN-DB classifies URLs with multiple categories, so that you can granularly control web access and how users interact with online content. ...
Determine URL Filtering Policy Requirements
Decide How You Want to Enforce URL Categories To first deploy URL filtering in your network, we recommend that you start with a basic setup ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
Create Best Practice Security Profiles for the Internet Gat...
Use these File Blocking settings as a best practice at your internet gateway. ...
Prevent Credential Phishing
Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...