Multi-Category URL Filtering
PAN-DB classifies URLs with multiple categories, so that
you can granularly control web access and how users interact with online
content.
PAN-DB, the Palo Alto Networks URL database,
now assigns multiple categories to URLs that classify a site’s content,
purpose, and safety. Every URL now has up to four categories, including
a risk category that indicates
how likely it is that the site will expose you to threats. More
granular URL categorizations means that you can move beyond a basic
"block-or-allow" approach to web access. Instead, you can control
how your users
interact
with online content that,
while necessary for business, is more likely to be used as part
of a cyberattack. For instance, you might consider certain
URL categories risky to your organization, but are hesitant to block
them outright as they also provide valuable resources or services
(like cloud storage services or blogs). Now, you can allow users
to visit sites that fall into these types of URL categories, while
also protecting your network by decrypting and inspecting traffic
and enforcing read-only access to the content.
With multi-category
URL filtering, PAN-DB might classify a developer blog that your
engineers use for research as:
- personal-sites-and-blogs
- computer-and-internet-info
- high-risk
The blog might be high-risk because
a malware-infected blog is hosted on the same domain. You’d like
your users to be able to access the blog, but want to protect against
potential threats. Now, you could design your security policy to
allow personal-sites-and-blogs and computer-and-internet-info, and
then very strictly limit the options available to users when accessing
high-risk content (for example, block obfuscated Javascript, enable
credential theft prevention, and restrict dangerous file downloads).
If
you’re already enforcing security policy based on URL categories,
you will automatically start to benefit from multi-category URL filtering
after upgrading to PAN-OS 9.0.
Here’s what’s most important
to know about multi-category URL filtering, with some tips to get
started:
- Multi-category URL filtering requires a PAN-DB URL Filtering subscription. To confirm that the PAN-DB URL Filtering subscription license is active on the firewall, select ).With an active license, the firewall connects to PAN-DB by default.
- You can useTest A Site to see the categories that PAN-DB applies to URLs and to learn about all the available URL categories.
- URL Filtering profiles now display your Custom URL Categories,External Dynamic URL Lists, andPre-defined Categories(the PAN-DB categories) together, so that you can choose from these categories when defining policy for website access and usage.
If you had configured URL filtering overrides before upgrading to PAN-OS 9.0, your override block and allow lists are now converted toCustom URL Categoriesand are displayed in this dropdown, too.The conversion of overrides to custom URL categories can cause previously allowed URLs to be blocked by the firewall. For more details on the implications of this change and workarounds, review Upgrade/Downgrade Considerations. - You can define a custom URL category based on multiple PAN-DB URL categories. A new type of custom URL category,Category Match, means that you can target enforcement for a website or page that matches a set of categories. The website or page must match all of the categories that you list. Here’s how to create custom URL categories.
- For websites or pages that hold more than one URL category, URL Filtering logs display the URL category on which the firewall based policy enforcement (theCategory). URL Filtering logs also display all the URL categories for the site (theURL Category List).To view URL Filtering logs, select and select any entry to learn more about the activity that triggered the log record.
- Where applicable, samples in AutoFocus show complete PAN-DB categorization details for each URL a sample connects to during WildFire analysis.To view the sample coverage details, select a sample hash in AutoFocus and then click theCoveragetab.
- To get started:
- Visit https://docs.paloaltonetworks.com/url-filtering.html for everything you need to know about URL filtering.
- Follow the complete work flow to configure URL Filtering, and start enforcing security policy based on URL categories.
- Learn about New Security-Focused URL Categories that allow you to control site access and how users interact with online content based on site safety.
