URL Filtering

paloalto security url-filtering profiles


Overview

URL Filtering controls access to websites based on categories, with options to allow, alert, block, continue, or override.


URL Categories

High-Risk Categories (Block)

CategoryDescription
malwareKnown malware distribution
phishingCredential harvesting sites
command-and-controlC2 servers
hackingHacking tools and information
proxy-avoidance-and-anonymizersVPNs, proxies, Tor
graywareAdware, spyware
newly-registered-domainDomains < 32 days old

Productivity Categories (Block/Alert)

CategoryDescription
adultAdult content
gamblingGambling sites
gamesOnline gaming
peer-to-peerP2P/torrent sites
streaming-mediaVideo streaming
social-networkingSocial media

Business Categories (Allow/Alert)

CategoryDescription
business-and-economyBusiness sites
computer-and-internet-infoTech information
financial-servicesBanking, finance
governmentGovernment sites
health-and-medicineHealthcare

Actions

ActionBehaviorUse Case
allowPermit access, no logTrusted categories
alertPermit access, logMonitor usage
blockDeny access, show block pageProhibited content
continueWarn page, user clicks to proceedDiscourage but allow
overridePassword required to accessManager approval needed

Profile Configuration

CLI - Create Profile

# Create URL filtering profile
set profiles url-filtering <profile-name> credential-enforcement mode disabled
 
# Set category actions
set profiles url-filtering <profile-name> block malware
set profiles url-filtering <profile-name> block phishing
set profiles url-filtering <profile-name> block command-and-control
set profiles url-filtering <profile-name> alert social-networking
set profiles url-filtering <profile-name> continue streaming-media

Custom URL Categories

Create custom categories for specific URLs:

# Create custom category
set profiles custom-url-category <name> list [ "*.example.com" "specific.site.com/path" ]
 
# Use in profile
set profiles url-filtering <profile-name> block <custom-category-name>

URL Formats:

  • example.com - Domain and all subdomains
  • *.example.com - All subdomains only
  • example.com/path - Specific path
  • 10.1.1.1 - IP address

HTTP Header Logging

Enable to capture additional details:

HeaderInformation
User-AgentBrowser/client information
RefererSource page
X-Forwarded-ForOriginal client IP (behind proxy)
set profiles url-filtering <profile-name> log-http-hdr-user-agent yes
set profiles url-filtering <profile-name> log-http-hdr-referer yes
set profiles url-filtering <profile-name> log-http-hdr-xff yes

Safe Search Enforcement

Force safe search on search engines:

set profiles url-filtering <profile-name> safe-search-enforcement yes

Supported Engines:

  • Google
  • Bing
  • Yahoo
  • YouTube (Strict Restricted Mode)

Credential Phishing Prevention

Block users from submitting corporate credentials to untrusted sites:

ModeBehavior
disabledNo credential detection
ip-userDetect by source IP + username
domain-credentialsDetect corporate domain credentials
group-mappingDetect based on user group
set profiles url-filtering <profile-name> credential-enforcement mode domain-credentials
set profiles url-filtering <profile-name> credential-enforcement log-severity medium
set profiles url-filtering <profile-name> credential-enforcement categories [ malware phishing ] action block

CLI Commands

View Configuration

# Show URL filtering profiles
show profiles url-filtering
 
# Show custom URL categories
show profiles custom-url-category
 
# Show URL filtering license
show system info | match url

URL Lookup

# Check category for URL
test url-info-cloud url <URL>
 
# Example
test url-info-cloud url www.facebook.com

View Logs

# URL filtering logs
show log url
 
# Filter by action
show log url action block
 
# Filter by category
show log url category malware
 
# Filter by user (if User-ID enabled)
show log url user <username>

Cache Operations

# Show URL cache stats
show url-cloud status
 
# Clear URL cache
debug dataplane reset url-cache

Block Page Customization

Default Response Pages

# View current pages
show response-page
 
# Set custom block page
set response-page url-filtering-block-page <HTML-content>

Variables for Block Pages

VariableDescription
<url/>Blocked URL
<category/>URL category
<user/>Username (if known)
<hostname/>Firewall hostname

PAN-DB vs BrightCloud

FeaturePAN-DBBrightCloud
ProviderPalo AltoThird-party
Categories~80~80
UpdatesReal-time cloudPeriodic
ML ClassificationYesLimited
DefaultYes (newer)Legacy

Check current database:

show system info | match url-filtering

Troubleshooting

URL Not Categorized Correctly

  1. Check current category:

    test url-info-cloud url <URL>
  2. Submit for re-categorization:

  3. Use custom category as override

Block Page Not Showing

  • HTTPS traffic: SSL decryption required to display block page
  • Without decryption: Connection reset (no block page)
# Check if decryption is applied
show log traffic | match ssl

Continue/Override Page Issues

  • Requires SSL decryption
  • Certificate must be trusted by client
  • Session timeout considerations

Best Practices

  1. Start with alert - Monitor before blocking
  2. Block high-risk categories - malware, phishing, C2
  3. Use custom categories - For business-specific allow/block lists
  4. Enable safe search - For regulated environments
  5. Enable credential detection - Prevent phishing
  6. Log HTTP headers - For forensics
  7. Decrypt HTTPS - For full URL visibility and block pages