URL Categories

PAN-DB classifies websites based on site content, features, and safety. A URL can have up to four categories, including risk categories (high, medium, and low), which indicate how likely it is that the site will expose you to threats.
Visit Test A Site to see how PAN-DB categorizes a URL, and to learn about all available URL categories. You can also use Test A Site to submit a URL Category change request, or you can submit the request directly in the firewall: select MonitorLogs and open the details for a log entry. Under the URL Category, you’ll see the option to submit a change request.
Read on to learn more about URL categories:

How to Leverage URL Categories

  • Block or allow traffic based on URL category—You can create a URL Filtering profile that specifies an action for each URL category and attach the profile to a policy. Traffic that matches the policy is enforced based on the URL filtering settings in the profile. For example, to block all gaming websites you would set the block action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web access. See Configure URL Filtering for more.
  • Enforce policy based on URL category—If you want a specific policy rule to apply only to web traffic to sites in a specific category, use the site URL category as match criteria when you create the policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media. See URL Category as Policy Match Criteria for more.
  • Multi-Category URL Filtering—Every URL can have up to four categories. More granular URL categorizations means that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.For instance, you might consider certain URL categories risky to your organization, but are hesitant to block them outright as they also provide valuable resources or services (like cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories, while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content. For a URL category that you want to tightly control, set the URL Filtering profile action to alert as part of the steps to Configure URL Filtering. Then continue to follow the URL Category Best Practices: decrypt the URL category, block dangerous file downloads, and turn on credential phishing prevention.
  • Block or allow corporate credential submissions based on URL categoryPrevent Credential Phishing by enabling the firewall to detect corporate credential submissions to sites, and then block or allow those submissions based on URL category. Block users from submitting credentials to malicious and untrusted sites, warn users against entering corporate credentials on unknown sites or warn them against reusing corporate credentials on non-corporate sites, and explicitly allow users submit credentials to corporate and sanctioned sites.

Security-Focused URL Categories

Security-focused URL categories can help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk, but are not confirmed malicious. Websites are classified with a security-related category only so long as they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts. You cannot submit a change request for security-focused URL Categories.
Security-Focused URL Categories
High-risk sites include:
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
  • Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
  • Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
  • Bulletproof ISP-hosted sites.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
Default and Recommended Policy Action: Alert
Medium-risk sites include:
  • All cloud storage sites (with the URL category online-storage-and-backup).
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 60 days.
  • Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Default and Recommended Policy Action: Alert
Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly-Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Default Policy Action: Alert
Recommended Policy Action: Block
Newly-registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It is a best practice to block this URL category.

URL Category Best Practices

Follow our complete best practices for enabling URL Filtering on an internet gateway firewall. To get started, you can clone the default URL Filtering profile which blocks malware, phishing, and command-and-control URL categories by default. The default URL Filtering profile also blocks the abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block these URL categories depends on your business requirements. For example, a university probably won’t want to restrict student access to most of these sites because availability is important, but a business that values security first may block some or all of them.
Here are the categories that we recommend you block:
  • malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
  • phishing—Known to host credential phishing pages or phishing for personal identification.
  • dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
  • unknown—Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
    PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
  • newly-registered-domains—Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
  • command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
  • copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
  • extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
  • proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
  • parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block, you can very strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript for sites that you are alerting on.
  • Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
  • Prevent phishing attacks by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.
  • Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.

Related Documentation