Palo Alto Networks URL Filtering

What are the benefits of PAN-DB URL filtering?

URL filtering gives you total control over web activity. It provides you with visibility and control from both an application and web perspective, URL filtering protects you from a full spectrum of legal, regulatory, productivity, and resource utilization risks.

Among other benefits, URL filtering allows you to:

  • Control web browsing based on category or through customized white or blacklists.
  • Specify your group-based web browsing policies with user repository integration.
  • Enable SSL decryption policies by allowing encrypted access to specific web sites about topics your employees enjoy – like health, finance, and shopping – while decrypting traffic to all other sites such as blogs, forums, and entertainment sites.
  • Enable bandwidth control for designated categories by creating QoS policies for specified URL categories.
  • Gain additional visibility and control over web traffic.

What are the available URL filtering profile actions?

  • Alert - The website is allowed and a log entry is generated in the URL filtering log.
  • Allow - The website is allowed and no log entry is generated.
  • Block - The website is blocked and the user will see a response page and will not be able to continue to the website.
  • Continue - The user will be prompted with a response page indicating that the site has been blocked due to company policy, but the user is prompted with the option to continue to the website.
  • Override - The user will see a response page indicating that a password is required to allow access to websites in the given category.
  • None - The none action only applies to custom URL categories. Select none to ensure that if multiple URL profiles exist, the custom category will not have any impact on other profiles.

Note: URL filtering logs and reports show all user web activity for URL categories that are set to alert, block, continue, or override except for categories set to allow. We highly recommend to always follow the principle of least privilege access when implementing your URL filtering profile actions.

Is there a list of all URL categories available?

You can access a full list of PAN-DB URL categories here: PAN URL Category List

Additionally, you can download and use this worksheet provided by Digital Scepter to plan your URL filtering policy: Click here to download

This worksheet was created in May 2015 and is for informational purposes only: Lightspeed to PAN-DB Category Mappings

How do you check if a site is properly categorized?

you can retrieve a URL or IP address category information using the PAN “Test a Site” tool: found here

How do you block a specific website?

For organization that need more granular control over URL filtering, it is a common practice to develop both a custom url blacklist and url whitelist filtering categories. To block a specific URL you will need to create a custom blacklist category and add the URL you wish to block to that list.

Entries in the block list must be an exact match and are case-insensitive, For example: If you want to prevent a user from accessing any website within the domain example.com, you would also add *.example.com, so whatever domain prefix (http://, www, or a sub-domain prefix such as mail.example.com) is added to the address, the specified action will be taken. The same applies to the sub-domain suffix; if you want to block example.com/en/US, you would need to add example.com/* as well.

for more details read the PAN guidelines to block and allow lists: found here

What categories are commonly blocked?

While each situation/environment is unique, URL filtering is an important tool to stopping attacks since malware/hackers will reach out to their domains to download further malware and communicate. Palo Alto Networks maintains various security related URL categories that we recommend blocking even for “free speech” environments such as Higher Education.

These are the categories:

  • malware
  • phishing
  • questionable
  • parked
  • proxy-avoidance-and-anonymizers
  • unknown
  • dynamic-dns (These are fast-flux sites used by hackers)

Palo Alto Networks learns about these sites in a variety of ways but a primary source is the global Wildfire network which collects and analyzes the behavior of millions of malware samples per day from more than 9000 Wildfire customers.

Reference: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering.html