You can enable Palo Alto Networks proprietary URL filtering
database, PAN-DB, or Webroot Inc.’s BrightCloud database for URL
filtering on your firewall.
Palo Alto Networks firewalls support two URL filtering
—The Palo Alto Networks-developed URL filtering
database. PAN-DB provides high-performance local caching for maximum
inline performance on URL lookups, and offers coverage against malicious
URLs and IP addresses. As WildFire identifies unknown malware, zero-day exploits,
and advanced persistent threats (APTs), the PAN-DB database is updated
with information on malicious URLs so that you can block malware downloads
and disable Command and Control (C2) communications to protect your
network from cyberthreats. URL categories that identify confirmed
malicious content—malware, phishing, and C2 are updated every five
minutes—to ensure that you can manage access to these sites within
minutes of categorization.
—A third-party URL database that is owned
by Webroot, Inc. and is integrated into PAN-OS firewalls. For information
on the BrightCloud URL database, visit http://brightcloud.com.
To enable URL filtering on a firewall, you must purchase and
activate a URL Filtering license for one of the supported URL Filtering
vendors and then install the database for the vendor you selected.
Starting with PAN-OS 6.0, firewalls managed by Panorama
do not need to be running the same URL filtering vendor that is
configured on Panorama. For firewalls running PAN-OS 6.0 or later,
when a mismatch is detected between the vendor enabled on the firewalls
and what is enabled on Panorama, the firewalls can automatically
migrate URL categories and/or URL profiles to (one or more) categories
that align with that of the vendor enabled on it. For guidance on how
to configure URL Filtering on Panorama if you are managing firewalls
running different PAN-OS versions, refer to the Panorama Administrator’s Guide.
If you have valid licenses for both PAN-DB and BrightCloud, activating
the PAN-DB license automatically deactivates the BrightCloud license
(and vice versa). At a time, only one URL filtering license can
be active on a firewall.