https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/435467#M96078 <P>thanks</P> Tue, 21 Sep 2021 10:29:51 GMT KashifSh 2021-09-21T10:29:51Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432788#M95788 <P>When user asks for providing full access what categories needed to b allowed &amp; Blocked in URL filtering ?</P> Thu, 09 Sep 2021 11:47:12 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432788#M95788 KashifSh 2021-09-09T11:47:12Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432844#M95797 <P>Our best practices guide is <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-filtering-best-practices.html" target="_self">here</A>. At a minimum, all categories should be set to "alert."</P><P>&nbsp;</P><P>For malware, grayware, high-risk, extremism, phishing most customers always set to block.</P><P>&nbsp;</P><P>For newly-registered, medium risk, parked, not-resolvable, proxy-avoidance many of my customers set that to "continue," which gives the user a popup on their browser asking if they are sure they want to go there.</P><P>&nbsp;</P><P>In general, "full access" shouldn't ever be the mindset of protecting a network. You should identify acceptable risk, many of the categories have no use in enterprise capacity. Block as much as you can, put continue on the ones you frown on, alert for all the ones that you know to be good.&nbsp;</P><P>&nbsp;</P><P>For a detailed report, contact your account team about scheduling a BPA.&nbsp;</P> Thu, 09 Sep 2021 16:16:08 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432844#M95797 LAYER_8 2021-09-09T16:16:08Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432990#M95815 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190637">@KashifSh</a>,</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/160615">@LAYER_8</a>&nbsp;did a great job answering your question with the little information present. If that didn't answer your question or you have any additional questions, it's always best to be as descriptive as possible. Your question doesn't really go into what you are actually looking to do, which would go a long way in properly answering it.&nbsp;</P><P>If a user truly&nbsp;<EM>needed&nbsp;</EM>full access then you would just have every single category set to 'alert', and therefore they would be able to access anything they needed, and while logs would record where they are going, url-filtering would never prevent them from getting to a resource. As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/160615">@LAYER_8</a>&nbsp;rightfully pointed out that isn't a great option, and I would generally respond by asking the user what they were attempting to access that was blocked. It's possible they simply got blocked from access a resource that was mis-categorized, but that isn't a reason to lower your security posture. You'd just submit a categorization change request to have it placed in the proper category.&nbsp;</P> Fri, 10 Sep 2021 03:41:22 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/432990#M95815 BPry 2021-09-10T03:41:22Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/435466#M96077 <P>THANKS</P> Tue, 21 Sep 2021 10:28:53 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/435466#M96077 KashifSh 2021-09-21T10:28:53Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/435467#M96078 <P>thanks</P> Tue, 21 Sep 2021 10:29:51 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering/m-p/435467#M96078 KashifSh 2021-09-21T10:29:51Z