URL Filtering Categories

Select
Objects
Security Profiles
URL Filtering
Categories
to control access to websites based on URL categories.
Categories Settings
Description
Category
Displays the URL categories and lists for which you can define web access and usage policy. By default, the
Site Access
and
User Credential Submission
permissions for all categories are set to
Allow
.
URL categories and lists are grouped into three drop-downs:
  • Custom URL Categories
    —Select Objects > Custom Objects > URL Category to define a custom URL category. You can base custom URL categories on a list of URLs or on multiple predefined categories.
  • External Dynamic URL Lists
    — Select Objects > External Dynamic Lists to enable the firewall to import a list of URLs from a web server.
  • Pre-defined Categories
    —Lists all URL categories defined by PAN-DB, the Palo Alto Networks URL, and the IP cloud database.
    Block
    all known dangerous URL categories to protect against exploit infiltration, malware download, command-and-control activity, and data exfiltration:
    command-and-control
    ,
    copyright-infringement
    ,
    dynamic-dns
    ,
    extremism
    ,
    malware
    ,
    phishing
    ,
    proxy-avoidance-and-anonymizers
    , and
    parked
    .
    To phase in a block policy, set categories to
    continue
    and create a custom response page to educate users about your use policy and alert them that they are visiting a site that potentially poses a threat. After a suitable period of time, transition to a policy that blocks these potentially malicious sites.
Site Access
For each URL category, select the action to take when a user attempts to access a URL in that category:
  • alert
    —Allows access to the web site but adds an alert to the URL log each time a user accesses the URL.
    Set
    alert
    as the Action for categories of traffic that you don’t block so that it logs the access attempt and provides visibility into the traffic.
  • allow
    —Allows access to the web site.
    Because
    allow
    doesn’t log unblocked traffic, set
    alert
    as the Action for categories of traffic you don’t block if you want to log the access attempts and provide visibility into that traffic.
  • block
    —Blocks access to the website. If the Site Access to a URL category is set to block, then the User Credential Submission permissions are automatically also set to block.
  • continue
    —Displays a warning page to users to discourage them from accessing the website. The user must then choose to
    Continue
    to the website if they decide to ignore the warning.
The continue (warning) pages are not displayed properly on client machines that are configured to use a proxy server.
  • override
    —Displays a response page that prompts the user to enter a valid password to gain access to the site. Configure URL Admin Override settings (
    Device
    Setup
    Content ID
    ) to manage password and other override settings. (See also the Management Settings table in Device > Setup > Content-ID).
The override pages are not displayed properly on client machines that are configured to use a proxy server.
  • none
    (
    custom URL category only
    )—If you created custom URL categories, set the action to
    none
    to allow the firewall to inherit the URL filtering category assignment from your URL database vendor. Setting the action to
    none
    gives you the flexibility to ignore custom categories in a URL filtering profile while allowing you to use the custom URL category as a match criteria in policy rules (Security, Decryption, and QoS) to make exceptions or to enforce different actions. To delete a custom URL category, you must set the action to
    none
    in any profile where the custom category is used. For information on custom URL categories, see Objects > Custom Objects > URL Category.
User Credential Submission
For each URL category, select
User Credential Submissions
to allow or disallow users from submitting valid corporate credentials to a URL in that category. Before you can control user credential submissions based on URL category, you must enable credential submission detection (select the
User Credential Detection
tab).
URL categories with the
Site Access
set to block are set to automatically also block user credential submissions.
  • alert
    —Allows users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this category.
  • allow
    (default)—Allows users to submit credentials to the website.
  • block
    —Blocks users from submitting credentials to the website. A default anti-phishing response page blocks user credential submissions.
  • continue
    —Displays a response page to users that prompts them to select
    Continue
    to submit credentials to the site. By default, an anti-phishing continue page displays to warn users when they attempt to submit credentials to sites to which credential submissions are discouraged. You can choose to create a custom response page to warn users against phishing attempts or to educate them against reusing valid corporate credentials on other websites.
Check URL Category
Click to access the PAN-DB URL Filtering database, where you can enter a URL or IP address to view categorization information.
Dynamic URL Filtering (disabled by default)
(
Configurable for BrightCloud only
)
Select to enable cloud lookup for categorizing the URL. This option is invoked if the local database is unable to categorize the URL.
If the URL is unresolved after a 5 second timeout, the response is displayed as
Not resolved URL
.
With PAN-DB, this option is enabled by default and is not configurable.

Related Documentation