1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Content Inspection Features
    5. Multi-Category URL Filtering

    Multi-Category URL Filtering

    PAN-DB classifies URLs with multiple categories, so that you can granularly control web access and how users interact with online content.
    PAN-DB, the Palo Alto Networks URL database, now assigns multiple categories to URLs that classify a site’s content, purpose, and safety. Every URL now has up to four categories, including a risk category that indicates how likely it is that the site will expose you to threats. More granular URL categorizations means that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users
    interact
     with online content that, while necessary for business, is more likely to be used as part of a cyberattack.
    For instance, you might consider certain URL categories risky to your organization, but are hesitant to block them outright as they also provide valuable resources or services (like cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories, while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content.
    With multi-category URL Filtering, PAN-DB might classify a developer blog that your engineers use for research as:
    • personal-sites-and-blogs
    • computer-and-internet-info
    • high-risk
    The blog might be high-risk because a malware-infected blog is hosted on the same domain. You’d like your users to be able to access the blog, but want to protect against potential threats. Now, you could design your security policy to allow personal-sites-and-blogs and computer-and-internet-info, and then very strictly limit the options available to users when accessing high-risk content (for example, block obfuscated Javascript, enable credential theft prevention, and restrict dangerous file downloads).
    If you’re already enforcing security policy based on URL categories, you will automatically start to benefit from multi-category URL Filtering after upgrading to PAN-OS 9.0.
    Here’s what’s most important to know about multi-category URL Filtering, with some tips to get started:
    • Multi-category URL Filtering requires a PAN-DB URL Filtering subscription. To confirm that the PAN-DB URL Filtering subscription license is active on the firewall, select
      Device
      Licenses
      ).
      With an active license, the firewall connects to PAN-DB by default.
    • You can Test A Site to see the categories that PAN-DB applies to URLs, and to learn about all the available URL categories.
    • URL Filtering profiles now display your Custom URL Categories,
      External Dynamic URL Lists
      , and
      Pre-defined Categories
       (the PAN-DB categories) together, so that you can choose from these categories when defining policy for website access and usage.
      profile-categories-custom-EDLs-predefined.png
      If you had configured URL Filtering overrides before upgrading to PAN-OS, your override block and allow lists are now converted to
      Custom URL Categories
      , and are displayed in this dropdown, too.
      More about this change:
       In earlier release versions, URL Filtering category overrides had priority enforcement ahead of custom URL categories. As part of the upgrade to PAN-OS 9.0, URL category overrides are converted to custom URL categories, and no longer receive priority enforcement over other custom URL categories. Instead of the action you defined for the category override in previous release versions, the new custom URL category is enforced by the security policy rule with the strictest URL Filtering profile action. From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow. This means that, if you had URL category overrides with the action allow, there’s a possibility the overrides might be blocked after they are converted to custom URL categories in PAN-OS 9.0. Review Upgrade/Downgrade Considerations to learn more, and for workarounds.
    • You can define a custom URL category based on multiple PAN-DB URL categories. A new type of custom URL Category,
      Category Match
      , means that you can target enforcement for a website or page that matches a set of categories. The website or page must match
      all
       of the categories that you list. Here’s how to create custom URL categories.
    • For websites or pages that hold more than one URL category, URL Filtering logs display the URL category with which the firewall based policy enforcement (the
      Category
      ). URL Filtering logs also display all the URL categories for the site (the
      URL Category List
      ).
      To view URL Filtering logs, select
      Monitor
      Logs
      URL Filtering
       and select any entry to learn more about the activity that triggered the log record.
      log-url-filtering-multi-category.png
    • Where applicable, samples in AutoFocus show complete PAN-DB categorization details for each URL a sample connects to during WildFire analysis.
      To view the sample coverage details, select a sample hash in AutoFocus and then click the
      Coverage
       tab.
    • To get started:

    Related Documentation

    URL Categories

    URL Categories PAN-DB classifies websites based on site content, features, and safety. A URL can have up to four categories, including risk categories (high, medium, ...

    Policy Actions You Can Take Based On URL Categories

    Policy Actions You Can Take Based on URL Categories On the firewall, you can use a URL Filtering profile to specify how you would like ...

    Custom URL Categories

    Create a Custom URL Category You can create a custom URL Filtering object to specify exceptions to URL category enforcement, and to create a custom ...

    New Security-Focused URL Categories

    Use the new security-focused URL categories to implement simple security and decryption policies based on website safety, without requiring you to research and individually assess ...

    URL Filtering Profile Actions

    URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...

    Upgrade/Downgrade Considerations

    Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade ...

    URL Filtering

    URL Filtering Palo Alto Networks URL Filtering allows you to monitor and control the sites users can access, to prevent phishing attacks by controlling the ...

    Content Inspection Features

    Learn about the new content inspection features introduced in PAN-OS 9.0. ...

    URL Filtering Categories

    URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Categories Settings Description Category Displays the ...

    Transition URL Filtering Profiles Safely to Best Practices

    Apply URL Filtering profiles to allow rules to protect against risky websites and content without risking application availability. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo