Domain/IP categorisation

L.Cartooms — Tue, 23 Sep 2025 09:46:27 GMT

Hi all,

I am using a PA-5250 with PAN-OS 11.1.6-h10. Our environment makes use of the automated correlation engine correlated events. So for example we get alerts like this one:

Host repeatedly visited uncategorized domain (6 times), and performed EXE downloads from these domains.

The hosts that are responsible for generating these alerts are legitimate in our case.
So a fix would be to categorise the matching domain with the URL filtering tool Palo Alto Networks URL filtering - Test A Site. I was wondering if I could categorise the hosts locally on the Palo Alto Firewall instead of using the URL filtering tool.

The hosts I would like to categorise are public IP adresses instead of url's/ dns names since the IP adresses that generate these alerts do not have any DNS record pointing to them. And since there are quit a bit of IP adresses I would like to categorise these locally on the firewall itself. I have already tried making a custom URL Category and adding the IP adresses here. But this seems to have no effect. The correlated events are still coming in.

Anyone here knows a way to achieve this if this is even possible?

Thanks in advance!

Re: Domain/IP categorisation

reaper — Thu, 25 Sep 2025 14:40:40 GMT

you can use an API to query the firewall for a url category:

curl -k "https://<firewall IP>/api/?key="<APIkey>"&type=op&cmd=<test><url>yoursitehere</url></test>

topic Re: Domain/IP categorisation in General Topics

Domain/IP categorisation

Re: Domain/IP categorisation