New Security-Focused URL Categories

Use the new security-focused URL categories to implement simple security and decryption policies based on website safety, without requiring you to research and individually assess the sites that are likely to expose you to web-based threats
New security-focused URL categories enable you to implement simple security and decryption policies based on website safety, without requiring you to research and individually assess the sites that are likely to expose you to web-based threats.
The new categories can help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk, but are not confirmed malicious. Websites are classified with a security-related category only so long as they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts.
Because Multi-Category URL Filtering allows for URLs to be classified with multiple categories, all URLs—except those that are confirmed malware, C2, or phishing sites—now include one of the risk categories, to indicate the level of suspicious activity the site displays. Unlike URL categories that identify page content and function, risk categories are always assigned at the domain-level (the risk category for an individual URL is inherited from the domain).
The following table below describes each of the new security-focused URL categories, and their default policy actions. If you choose not to block newly-registered domains, high-risk, and medium-risk categories, we recommend the following best practices to very strictly control user access and interaction with these types of sites:
  • Target decryption to high-risk, medium-risk, and newly-registered domains.
  • Enable the strict predefined Anti-Spyware, Vulnerability Protection, File Blocking profiles, and implement the best practices for each profile. To view the strict predefined security profiles, select ObjectsSecurity ProfilesAnti-Spyware/Vulnerability Protect/File Blocking. You can’t edit a predefined profile, but you can clone a predefined profile to use it as template for a new profile.
  • Build a URL Filtering profile that blocks all recommended categories. You can clone the default URL Filtering profile to get started, but you’ll need to update the action for newly-registered domains to block.
  • Prevent phishing attacks by blocking users from submitting their corporate credentials to high-risk, medium-risk, and newly-registered domains.
  • Display a response pageto users when they visit high- and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
Change requests are not supported for risk categories or newly-registered-domains.
Security-Focused URL Categories
High-Risk
High-risk sites include:
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
  • Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
  • Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
  • Bulletproof ISP-hosted sites.
  • Sites hosted on IPs from ASNs that are known to allow malicious content.
Default and Recommended Policy Action: Alert
Medium-Risk
Medium-risk sites include:
  • All cloud storage sites (with the URL category online-storage-and-backup).
  • Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 60 days.
  • Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Default and Recommended Policy Action: Alert
Low-Risk
Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Default and Recommended Policy Action: Allow
Newly-Registered Domains
Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Default Policy Action: Alert
Recommended Policy Action: Block
Newly-registered domains are often generated purposefully or by domain generation algorithms and used for malicious activity. It is a best practice to block this URL category.

Related Documentation