https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164078#M53033 <P>URL Category in the security policy match criteria allows you to <U>vary the security profiles based on the URL category</U>. &nbsp;Security profiles are things like AntiVirus Profiles, Vulnerability Profiles, WildFire Profiles, Anti-Spyware Profiles, File Blocking Profiles, Data Filtering Profiles, etc. &nbsp;</P><P>&nbsp;</P><P>One common use-case is to allow users to visit questionable URL categories, but restrict the file types they can download from those locations.</P><P>&nbsp;</P><P>You need 2 security policy rules to accomplish this. &nbsp;The first policy allows web-browsing with URL category = unknown/parked/insufficient, and then you attach a strict file blocking profile that prevents dangerous file types from being downloaded (PE, pdf, office, java, flash, etc.) &nbsp;</P><P>&nbsp;</P><P>The 2nd security policy is for web-browsing in general, no URL category match, but then you can attach a less restrictive file blocking profile that allows PDFs, office docs, etc.</P><P>&nbsp;</P><P>This concept/tactic is discussed in a little more detail in the "Best Practices for Ransomware Prevention" document, Step #4, found here:</P><P>&nbsp;- <A title="Best Practices for Ransomware Prevention" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148</A></P><P>&nbsp;</P> Fri, 30 Jun 2017 12:56:07 GMT jvalentine 2017-06-30T12:56:07Z https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164044#M53026 <P>When would you use one over the other?</P> Fri, 30 Jun 2017 09:39:36 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164044#M53026 RodO 2017-06-30T09:39:36Z https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164068#M53029 <P>URL category in the destination of a security policy will work sort of like a dynamic IP list, it's going to allow a TCP handshake through based on the destination IP belonging to a category</P> <P>&nbsp;</P> <P>URL filtering profile will not care about the session itself (that relies on a web-browsing policy) but will see which url is being accessed and then apply an action with a user-friendly interface if the action is 'negative': a block page will be presented for blocked categories, a continue page can be presented for 'questionable' categories and so on</P> Fri, 30 Jun 2017 10:35:39 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164068#M53029 reaper 2017-06-30T10:35:39Z https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164078#M53033 <P>URL Category in the security policy match criteria allows you to <U>vary the security profiles based on the URL category</U>. &nbsp;Security profiles are things like AntiVirus Profiles, Vulnerability Profiles, WildFire Profiles, Anti-Spyware Profiles, File Blocking Profiles, Data Filtering Profiles, etc. &nbsp;</P><P>&nbsp;</P><P>One common use-case is to allow users to visit questionable URL categories, but restrict the file types they can download from those locations.</P><P>&nbsp;</P><P>You need 2 security policy rules to accomplish this. &nbsp;The first policy allows web-browsing with URL category = unknown/parked/insufficient, and then you attach a strict file blocking profile that prevents dangerous file types from being downloaded (PE, pdf, office, java, flash, etc.) &nbsp;</P><P>&nbsp;</P><P>The 2nd security policy is for web-browsing in general, no URL category match, but then you can attach a less restrictive file blocking profile that allows PDFs, office docs, etc.</P><P>&nbsp;</P><P>This concept/tactic is discussed in a little more detail in the "Best Practices for Ransomware Prevention" document, Step #4, found here:</P><P>&nbsp;- <A title="Best Practices for Ransomware Prevention" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148</A></P><P>&nbsp;</P> Fri, 30 Jun 2017 12:56:07 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-versus-url-filtering-profile/m-p/164078#M53033 jvalentine 2017-06-30T12:56:07Z