https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252553#M71774 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104413">@JackField</a>&nbsp;,</P><P>You would be better off creating a custom threat signature for something like this instead of a URL category.&nbsp;</P> Wed, 06 Mar 2019 18:25:31 GMT BPry 2019-03-06T18:25:31Z https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252505#M71767 <P>Hi guys,</P><P>&nbsp;</P><P>We're trying to stop users from accessing webpages featuring 'momo' content.</P><P>&nbsp;</P><P>We've set up the below custom URL category and it only blocks Google searches for momo while in incognito mode, and still allows Google image and Youtube results.&nbsp; Is there anything wrong with this, we may have gone OTT trying to get this to work:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="URL category.png" style="width: 567px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18987i274D3EECBC5069AB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="URL category.png" alt="URL category.png" /></span></P><P>&nbsp;</P><P>Using asterisks gives us errors.</P><P>&nbsp;</P><P>Thanks,</P><P>J</P> Wed, 06 Mar 2019 14:21:55 GMT https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252505#M71767 JackField 2019-03-06T14:21:55Z https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252553#M71774 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104413">@JackField</a>&nbsp;,</P><P>You would be better off creating a custom threat signature for something like this instead of a URL category.&nbsp;</P> Wed, 06 Mar 2019 18:25:31 GMT https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252553#M71774 BPry 2019-03-06T18:25:31Z https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252658#M71793 <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;,&nbsp;url filtering will limit your scope while a custom threat will be able to inspect payload etc</P> <P>&nbsp;</P> Thu, 07 Mar 2019 12:37:32 GMT https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/252658#M71793 reaper 2019-03-07T12:37:32Z https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/253303#M71947 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;,</P><P>&nbsp;</P><P>Thanks for the help.&nbsp; I've been looking into this and it certainly seems the right path.</P><P>&nbsp;</P><P>I'm running into a brick wall at the moment though.&nbsp; My Regex's only work with limited effect, and once a search for the malicious term 'momo' has sucessfully established, my vulnerability protections no longer work.&nbsp; Could you please advise, I've listed them below.</P><P>&nbsp;</P><P>A big part of the problem is that regex's have to be 7 bytes or larger without wildcard objects; so momo on it's own won't work.</P><P>&nbsp;</P><P>Interestingly, one of my Regex's -&nbsp;momohoax|momo|momodanger|momowhatsapp|momochallenge|momo.|.momo|.momo. - context = http-req-message-body - will block me from working on the custom vulnerability object after it's been commited.&nbsp; This is a good thing, since it shows the protection is working on websites holding 'momo' content, but it is only working on the firewall config.&nbsp; I have set up the security profiles and policies correctly, and decryption is enabled.</P><P>&nbsp;</P><P>Here's the regex's that have only limited scope:</P><P>&nbsp;</P><P>Context: http-req-params - Value:&nbsp;search\?q=(.*momo\+.*)</P><P>Context: http-req-params - Value:&nbsp;search\?q=(.*.momo.*)</P><P>Context: http-req-params - Value:&nbsp;search\?q=(.*.momo*.*)\&amp;source=.</P><P>Context: http-req-params - Value:&nbsp;.*(q=momo&amp;rlz=).*</P><P>Context: http-req-params - Value:&nbsp;search_query=(.*.momo.*).*</P><P>Context: http-req-message-body Value:&nbsp;momohoax|momo|momodanger|momowhatsapp|momochallenge|momo.|.momo|.momo.</P><P>&nbsp;</P><P>I know it's possible to create a condition that will block any webpage with momo on it, I'm just stumped as to how!</P><P>&nbsp;</P><P>Thanks,</P><P>J</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 10:11:36 GMT https://live.paloaltonetworks.com/t5/general-topics/using-custom-url-categories/m-p/253303#M71947 JackField 2019-03-12T10:11:36Z