https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563293#M114088 <P>Hi,&nbsp;<BR /><BR />I understand that to block an individual URL it has to be in a custom category before it can be used in a policy as a destination. For my own education and curiosity, my question is why must it be in a category? What is the processing logic in the firewall that makes this a requirement?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 26 Oct 2023 20:29:03 GMT ABurger 2023-10-26T20:29:03Z https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563293#M114088 <P>Hi,&nbsp;<BR /><BR />I understand that to block an individual URL it has to be in a custom category before it can be used in a policy as a destination. For my own education and curiosity, my question is why must it be in a category? What is the processing logic in the firewall that makes this a requirement?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 26 Oct 2023 20:29:03 GMT https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563293#M114088 ABurger 2023-10-26T20:29:03Z https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563439#M114101 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/119516">@ABurger</a>,</P> <P>It would be drastically more resource intensive to check the rulebase against a single URL versus the category. On the backend PAN would have to convert every URL entry utilized in the security rulebase (or every group of URLs used in a security rulebase entry) to it's own individual category. Then you'd have to deal with the fact that URL Filtering profiles exist and wouldn't have a defined action for the dynamic category that it's creating, so it would have to assume intent (IE: If the security entry allows access to a URL, do they default to that being a category action of "allow" or "alert"?). What about credential enforcement action? This is also all negating any platform limits and the fact that any VSYS can only ever have 500 custom categories.</P> <P>&nbsp;</P> <P>In short, it's resource intensive and doing so isn't conducive to properly following assigned profiles if it's dynamically building categories on the backend to keep overhead to a minimum. They'd need to not only give you the ability to dynamically build categories if you specified URLs in an entry, but they would also need to allow you to set URL Filtering behavior for those categories and dynamically build out additional profiles for each new entry as well.</P> <P>That would be an incredible amount of management overhead when building the running-config and would put people much closer to running into platform limitations because of the processing overhead.&nbsp;</P> Sat, 28 Oct 2023 04:55:35 GMT https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563439#M114101 BPry 2023-10-28T04:55:35Z https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563490#M114109 <P>That makes sense, thank you very much!</P> Mon, 30 Oct 2023 07:25:57 GMT https://live.paloaltonetworks.com/t5/general-topics/why-cant-a-url-be-used-directly-in-a-policy/m-p/563490#M114109 ABurger 2023-10-30T07:25:57Z