Understand the criteria used to categorize URLs as high-risk,
medium-risk, and low-risk.
Security-focused URL categories can help you to reduce
your attack surface by providing targeted decryption and enforcement
for sites that pose varying levels of risk, but are not confirmed
malicious. Websites are classified with a security-related category
only so long as they meet the criteria for that category; as site
content changes, policy enforcement dynamically adapts. You cannot
submit a change request for security-focused URL categories.
Security-Focused URL Categories
High-risk sites include:
previously confirmed to be malware, phishing, or C2 sites. These
sites will remain in this category for at least 30 days.
Unknown domains are classified as high-risk until PAN-DB
completes site analysis and categorization.
Sites that are associated with confirmed malicious activity.
For example, a page might be high-risk if there are malicious hosts
on the same domain, even if the page itself does not contain malicious
Bulletproof ISP-hosted sites.
Domains classified as DDNS due to the presence of an active
dynamic DNS configuration.
Sites hosted on IPs from ASNs that are known to allow malicious
Default and Recommended Policy Action: Alert
Medium-risk sites include:
cloud storage sites (with the URL category
Sites previously confirmed to be malware, phishing, or C2
sites that have displayed only benign activity for at least 30 days.
These sites will remain in this category for an additional 60 days.
Unknown IP addresses are categorized as medium-risk until
PAN-DB completes site analysis and categorization.
and Recommended Policy Action: Alert
Sites that are not medium or high risk are
considered low risk. These sites have displayed benign activity
for a minimum of 90 days.
Default and Recommended Policy
Identifies sites that have been registered
within the last 32 days. New domains are frequently used as tools
in malicious campaigns.
Default Policy Action: Alert
Policy Action: Block
domains are often generated purposefully or by domain generation
algorithms and used for malicious activity. It is a best practice
to block this URL category.