URL Filtering Profiles
Focus
Focus
Advanced URL Filtering

URL Filtering Profiles

Table of Contents

URL Filtering Profiles

Define website access for URL categories and configure user credential submission and safe search enforcement settings.
Where can I use this?What do I need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access licenses include Advanced URL Filtering capabilities.
URL Filtering profiles define how the firewall handles traffic to specific URL categories. A URL Filtering profile is a collection of URL filtering controls that you apply to individual Security policy rules that allow access to the internet. You can configure site access for URL categories, allow or disallow user credential submissions, enable safe search enforcement, and various other settings. To enforce the actions defined in a URL Filtering profile, apply the profile to Security policy rules. The firewall enforces the profile actions on traffic that matches the Security policy rule (for details, see Configure URL Filtering).
The firewall comes with a default profile that blocks threat-prone categories, such as malware, phishing, and adult. You can use the default profile in a Security policy rule, clone it to be used as a starting point for new URL Filtering profiles, or add a new URL Filtering profile. You can customize newly-added URL Filtering profiles and add lists of specific websites that should always be blocked or allowed. For example, you can block the social-networking category but allow access to specific websites in that category. By default, site access for all URL categories is set to allow when you create a basic URL Filtering profile. This means that users will be able to browse to all sites freely and the traffic is not logged.
Create a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitative content.

URL Filtering Profile Policy Actions

In a URL Filtering profile, you can define Site Access for URL categories, allow or disallow User Credential Submissions based on URL category (for example, you can block user credential submissions to medium and high-risk sites), and enable safe search enforcement.
Action
Description
Site Access
alert
The website is allowed and a log entry is generated in the URL filtering log.
Set alert as the Action for categories of traffic you don’t block to log and provide visibility into the traffic.
allow
The website is allowed and no log entry is generated.
Don’t set allow as the Action for categories of traffic you don’t block because you lose visibility into traffic you don’t log. Instead, set alert as the Action for categories of traffic you don’t block to log and provide visibility into the traffic.
block
The website is blocked and the user will see a response page and will not be able to continue to the website. A log entry is generated in the URL filtering log.
Blocking site access for a URL category also sets User Credential Submissions for that URL category to block.
continue
The user will be prompted with a response page indicating that the site has been blocked due to company policy, but the user is prompted with the option to continue to the website. The continue action is typically used for categories that are considered benign and is used to improve the user experience by giving them the option to continue if they feel the site is incorrectly categorized. The response page message can be customized to contain details specific to your company. A log entry is generated in the URL filtering log.
The Continue page doesn’t display properly on client systems configured to use a proxy server.
override
The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security admin or help desk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL filtering log. See Allow Password Access to Certain Sites.
In earlier release versions, URL Filtering category overrides had priority enforcement ahead of custom URL categories. As part of the upgrade to PAN-OS 9.0, URL category overrides are converted to custom URL categories, and no longer receive priority enforcement over other custom URL categories. Instead of the action you defined for the category override in previous release versions, the new custom URL category is enforced by the Security policy rule with the strictest URL Filtering profile action. From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow.
This means that, if you had URL category overrides with the action allow, there’s a possibility the overrides might be blocked after they are converted to custom URL category in PAN-OS 9.0.
The Override page doesn’t display properly on client systems configured to use a proxy server.
none
The none action only applies to custom URL categories. Select none to ensure that if multiple URL profiles exist, the custom category will not have any impact on other profiles. For example, if you have two URL profiles and the custom URL category is set to block in one profile, if you do not want the block action to apply to the other profile, you must set the action to none.
Also, in order to delete a custom URL category, it must be set to none in any profile where it is used.
User Credential Permissions
These settings require you to first set up credential phishing prevention.
alert
Allow users to submit corporate credentials to sites in this URL category, but generate a URL Filtering alert log each time this occurs.
allow (default)
Allow users to submit corporate credentials to websites in this URL category.
block
Block users from submitting corporate credentials to websites in this category. A default anti-phishing response page is displayed to users when they access sites to which corporate credential submissions are blocked. You can customize the block page that displays.
continue
Display a response page to users that prompts them to select Continue to access to access the site. By default, the Anti Phishing Continue Page is shown to user when they access sites to which credential submissions are discouraged. You can customize the response page to warn users against phishing attempts or reusing their credentials on other websites, for example.