URL Filtering
paloalto security url-filtering profiles
Overview
URL Filtering controls access to websites based on categories, with options to allow, alert, block, continue, or override.
URL Categories
High-Risk Categories (Block)
| Category | Description |
|---|---|
| malware | Known malware distribution |
| phishing | Credential harvesting sites |
| command-and-control | C2 servers |
| hacking | Hacking tools and information |
| proxy-avoidance-and-anonymizers | VPNs, proxies, Tor |
| grayware | Adware, spyware |
| newly-registered-domain | Domains < 32 days old |
Productivity Categories (Block/Alert)
| Category | Description |
|---|---|
| adult | Adult content |
| gambling | Gambling sites |
| games | Online gaming |
| peer-to-peer | P2P/torrent sites |
| streaming-media | Video streaming |
| social-networking | Social media |
Business Categories (Allow/Alert)
| Category | Description |
|---|---|
| business-and-economy | Business sites |
| computer-and-internet-info | Tech information |
| financial-services | Banking, finance |
| government | Government sites |
| health-and-medicine | Healthcare |
Actions
| Action | Behavior | Use Case |
|---|---|---|
| allow | Permit access, no log | Trusted categories |
| alert | Permit access, log | Monitor usage |
| block | Deny access, show block page | Prohibited content |
| continue | Warn page, user clicks to proceed | Discourage but allow |
| override | Password required to access | Manager approval needed |
Profile Configuration
CLI - Create Profile
# Create URL filtering profile
set profiles url-filtering <profile-name> credential-enforcement mode disabled
# Set category actions
set profiles url-filtering <profile-name> block malware
set profiles url-filtering <profile-name> block phishing
set profiles url-filtering <profile-name> block command-and-control
set profiles url-filtering <profile-name> alert social-networking
set profiles url-filtering <profile-name> continue streaming-mediaCustom URL Categories
Create custom categories for specific URLs:
# Create custom category
set profiles custom-url-category <name> list [ "*.example.com" "specific.site.com/path" ]
# Use in profile
set profiles url-filtering <profile-name> block <custom-category-name>URL Formats:
example.com- Domain and all subdomains*.example.com- All subdomains onlyexample.com/path- Specific path10.1.1.1- IP address
HTTP Header Logging
Enable to capture additional details:
| Header | Information |
|---|---|
| User-Agent | Browser/client information |
| Referer | Source page |
| X-Forwarded-For | Original client IP (behind proxy) |
set profiles url-filtering <profile-name> log-http-hdr-user-agent yes
set profiles url-filtering <profile-name> log-http-hdr-referer yes
set profiles url-filtering <profile-name> log-http-hdr-xff yesSafe Search Enforcement
Force safe search on search engines:
set profiles url-filtering <profile-name> safe-search-enforcement yesSupported Engines:
- Bing
- Yahoo
- YouTube (Strict Restricted Mode)
Credential Phishing Prevention
Block users from submitting corporate credentials to untrusted sites:
| Mode | Behavior |
|---|---|
| disabled | No credential detection |
| ip-user | Detect by source IP + username |
| domain-credentials | Detect corporate domain credentials |
| group-mapping | Detect based on user group |
set profiles url-filtering <profile-name> credential-enforcement mode domain-credentials
set profiles url-filtering <profile-name> credential-enforcement log-severity medium
set profiles url-filtering <profile-name> credential-enforcement categories [ malware phishing ] action blockCLI Commands
View Configuration
# Show URL filtering profiles
show profiles url-filtering
# Show custom URL categories
show profiles custom-url-category
# Show URL filtering license
show system info | match urlURL Lookup
# Check category for URL
test url-info-cloud url <URL>
# Example
test url-info-cloud url www.facebook.comView Logs
# URL filtering logs
show log url
# Filter by action
show log url action block
# Filter by category
show log url category malware
# Filter by user (if User-ID enabled)
show log url user <username>Cache Operations
# Show URL cache stats
show url-cloud status
# Clear URL cache
debug dataplane reset url-cacheBlock Page Customization
Default Response Pages
# View current pages
show response-page
# Set custom block page
set response-page url-filtering-block-page <HTML-content>Variables for Block Pages
| Variable | Description |
|---|---|
<url/> | Blocked URL |
<category/> | URL category |
<user/> | Username (if known) |
<hostname/> | Firewall hostname |
PAN-DB vs BrightCloud
| Feature | PAN-DB | BrightCloud |
|---|---|---|
| Provider | Palo Alto | Third-party |
| Categories | ~80 | ~80 |
| Updates | Real-time cloud | Periodic |
| ML Classification | Yes | Limited |
| Default | Yes (newer) | Legacy |
Check current database:
show system info | match url-filteringTroubleshooting
URL Not Categorized Correctly
-
Check current category:
test url-info-cloud url <URL> -
Submit for re-categorization:
-
Use custom category as override
Block Page Not Showing
- HTTPS traffic: SSL decryption required to display block page
- Without decryption: Connection reset (no block page)
# Check if decryption is applied
show log traffic | match sslContinue/Override Page Issues
- Requires SSL decryption
- Certificate must be trusted by client
- Session timeout considerations
Best Practices
- Start with alert - Monitor before blocking
- Block high-risk categories - malware, phishing, C2
- Use custom categories - For business-specific allow/block lists
- Enable safe search - For regulated environments
- Enable credential detection - Prevent phishing
- Log HTTP headers - For forensics
- Decrypt HTTPS - For full URL visibility and block pages