Beginning with content release version 8206, we added two new URL Filtering categories: “Grayware” and “Cryptocurrency.”
ACTION: Administrators should immediately set their grayware category to BLOCK due to the obtrusive behavior from these websites. Palo Alto Networks recommends that you also subscribe to this FAQ for updates as they become available.
How is Grayware defined?
Palo Alto Networks defines Grayware as websites that do not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware typically includes scams, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser (such as the default landing page, search engines, or installing an extension for tracking purposes).
What happens if I don’t change Grayware to BLOCK as the action?
If you do not change the default action of the grayware category to block, your network will allow all attempted connections to grayware-related URLs to succeed and your users will have access to these websites.
Why is Grayware not set to block by default?
The ability to set the default action for the default profile to BLOCK is available only in PAN-OS 8.0.2 and later releases. Only customers running PAN-OS 8.0.2 or a later release will automatically have their default action set to BLOCK and only in the default profile. This functionality is not available in earlier releases of PAN-OS software.
NOTE: for PAN-OS 8.0.2 and later releases, you should check to ensure that the action is properly updated to BLOCK within your default profile.
If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles. This applies to all versions of PAN-OS software.
How is Cryptocurrency defined?
Palo Alto Networks defines the Cryptocurrency category as websites that promote crypto currencies, crypto mining websites (but not embedded crypto miners), crypto currency exchanges and vendors, and websites that manage crypto currency wallets and ledgers.
This category does not include traditional financial services websites that reference crypto currencies, websites that explain and describe how crypto currencies and block chains work, or websites that contain embedded crypto currency miners (grayware).
What is the recommended action for the Cryptocurrency category?
By default, the Cryptocurrency action is set to “alert” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to “alert” for each of these profiles if you want consistent alerting across all profiles. This applies to all versions of PAN-OS software.
Please consult your legal and privacy teams if you choose to allow and decrypt this category to account for any Personally Identifiable Information (PII).
When will the Grayware and Cryptocurrency categories be available?
The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. During this time, you are able to update your policy action for these new categories. After Palo Alto Networks begins to label existing and new URLs using these two new categories, all Grayware and Cryptocurrency URLs will be classified as such and your configured policy actions will be enforced on the firewall accordingly.
When will Palo Alto Networks start to use the Grayware and Cryptocurrency categories?
The use of Grayware and Cryptocurrency categories is scheduled to begin in mid-January 2020. This blog will be updated when both categories are fully functional.