Understanding URL Filtering Order / URL Filtering Precedence

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Understanding URL Filtering Order / URL Filtering Precedence

L2 Linker

I was searching high and low for URL Filtering Order / URL Filtering Precedence when trying to understand how to override an incorrect URL learned from an External Dynamic List. It took the help of our Designated Engineer to get a full and complete answer. I thought I would share the info here so others may benefit as well.

 

This is based off of the following:

 

 

Starting with the different sources of URL Filtering Data, the precendence is from the top down - First Match Wins:

 

  1. Block list
    • Manually entered blocked URLs
    • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Block List
  2. Allow list
    • Manually entered allowed URLs
    • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Allow List
  3. Custom Categories
    • User-defined Custom URL Categories 
    • Objects -> Custom Objects -> URL Category -> <URL Category Object>
  4. Cached
    • Cached = URLs learned from External Dynamic Lists (EDLs) 
    • Objects -> External Dynamic Lists -> Dynamic URL Lists -> <Dynamic URL List Object>
  5. Pre-Defined Categories
    • PAN-DB or Brightcloud "canned" / "out of the box" categories.
    • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Categories

 

 

So, what happens when we get two or more valid answers, all at the same level of precendence? No problem - We have a list for that too! The list below includes the actions and a short explanation of the action from the PANOS 8.0 documentation. Just as before, precedence is from the top down - First Match Wins:

 

 

  1. Block
    • The website is blocked and the user will see a response page and will not be able to continue to the website. A log entry is generated in the URL filtering log.
  2. Override
    • The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security admin or helpdesk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL filtering log.
  3. Continue
    • The user will be prompted with a response page indicating that the site has been blocked due to company policy, but the user is prompted with the option to continue to the website. The continue action is typically used for categories that are considered benign and is used to improve the user experience by giving them the option to continue if they feel the site is incorrectly categorized. The response page message can be customized to contain details specific to your company. A log entry is generated in the URL filtering log.
  4. Alert
    • The website is allowed and a log entry is generated in the URL filtering log.
  5. Allow
    • The website is allowed and no log entry is generated.

 

Thats it - hope this is useful!

1 REPLY 1

Cyber Elite
Cyber Elite

@jjhernandez,

Should have asked here first, we've given answers about this a few different times 😉

  • 16595 Views
  • 1 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!