Palo Alto Networks URL Filtering Solution
Focus
Focus
Advanced URL Filtering

Palo Alto Networks URL Filtering Solution

Table of Contents

Palo Alto Networks URL Filtering Solution

Palo Alto Networks URL filtering solution enables you to block and allow access to websites based on URL category and information such as user and group.
Where can I use this?What do I need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access licenses include Advanced URL Filtering capabilities.
Advanced URL Filtering (preceded by URL Filtering) is a subscription service that protects your network and its users against malicious and evasive web-based threats—both known and unknown. The subscription provides the same functionality as URL Filtering—granular URL filtering control, visibility into user web activity, safe search enforcement, and credential phishing prevention—with the addition of full web content inspection using an inline machine learning-based web security engine. The inline web security engine enables real-time analysis and categorization of URLs that are not present in PAN-DB, Palo Alto Networks cloud-based URL database. Then, the engine determines the action the firewall takes.
Advanced URL Filtering protects against malicious URLs that are updated or introduced before PAN-DB has analyzed and added them to the database. With Advanced URL Filtering enabled, URL requests are:
  • Analyzed in real-time using the cloud-based Advanced URL Filtering detection modules. This is in addition to URLs being compared to entries in PAN-DB. The ML-powered web protection engine detects and blocks the malicious websites that PAN-DB cannot.
  • Inspected for phishing and malicious JavaScript using local inline categorization, a firewall-based analysis solution, which can block unknown malicious web pages in real-time.
Advanced URL Filtering licenses are supported on next-generation firewalls running PAN-OS 9.1 and later. You can manage URL filtering features on the PAN-OS and Panorama web interface, Prisma Access, and Cloud NGFW platforms. However, some URL filtering features are not available on each platform.
If network security requirements in your enterprise prohibit the firewalls from directly accessing the Internet, Palo Alto Networks provides an offline URL filtering solution with the PAN-DB private cloud. You can deploy a PAN-DB private cloud on one or more M-600 appliances that function as PAN-DB servers within your network; however, the private cloud does not support any of the cloud-based URL analysis features provided by the Advanced URL Filtering solution.

Legacy URL Filtering Subscription

URL Filtering enforces policy rules for websites stored in your local cache or PAN-DB. When a user requests a website, the firewall checks the local cache for its URL category. If the website isn't in the cache, the firewall queries PAN-DB to decide which action to apply. As a result, attackers are better able to launch precision attack campaigns using URLs that aren't present in the cloud-based database.
Legacy subscription holders can continue using their URL filtering deployment until the end of the license term.