New URL Filtering Categories: Grayware and Cryptocurrency

Showing results for 
Search instead for 
Did you mean: 
L3 Networker

Edit:  Dec 10, 2019 @ 1:28PM PT - added test URLs for grayware and cryptocurrency

Edit:  Jan 28, 2020 @ 2:45PM PT - added dates to begin publishing Cryptocurrency and grayware.


Beginning with content release version 8206, we added two new URL Filtering categories:  “Grayware” and “Cryptocurrency.”


ACTION:  Administrators should immediately set their grayware category to BLOCK due to the obtrusive behavior from these websites. Palo Alto Networks recommends that you also subscribe to this FAQ for updates as they become available.



How is Grayware defined?

Palo Alto Networks defines Grayware as websites that do not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware typically includes scams, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser (such as the default landing page, search engines, or installing an extension for tracking purposes).


What happens if I don’t change Grayware to BLOCK as the action?

If you do not change the default action of the grayware category to block, your network will allow all attempted connections to grayware-related URLs to succeed and your users will have access to these websites.


Why is Grayware not set to block by default?

The ability  to set the default action for the default profile to BLOCK is available only in PAN-OS 8.0.2 and later releases. Only customers running PAN-OS 8.0.2 or a later release will automatically have their default action set to BLOCK and only in the default profile. This functionality is not available in earlier releases of PAN-OS software. 

NOTE:  for PAN-OS 8.0.2 and later releases, you should check to ensure that the action is properly updated to BLOCK within your default profile.


If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles. This applies to all versions of PAN-OS software.



How is Cryptocurrency defined?

Palo Alto Networks defines the Cryptocurrency category as websites that promote crypto currencies, crypto mining websites (but not embedded crypto miners), crypto currency exchanges and vendors, and websites that manage crypto currency wallets and ledgers.

This category does not include traditional financial services websites that reference crypto currencies, websites that explain and describe how crypto currencies and block chains work, or websites that contain embedded crypto currency miners (grayware).


What is the recommended action for the Cryptocurrency category?

By default, the Cryptocurrency action is set to “alert” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to “alert” for each of these profiles if you want consistent alerting across all profiles.  This applies to all versions of PAN-OS software.


Please consult your legal and privacy teams if you choose to allow and decrypt this category to account for any Personally Identifiable Information (PII).


Implementation Schedule

When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. During this time, you are able to update your policy action for these new categories. After Palo Alto Networks begins to label existing and new URLs using these two new categories, all Grayware and Cryptocurrency URLs will be classified as such and your configured policy actions will be enforced on the firewall accordingly.  


When will Palo Alto Networks start to use the Grayware and Cryptocurrency categories?

The use of Grayware and Cryptocurrency categories is scheduled to begin in mid-January 2020. This blog will be updated when both categories are fully functional.


Starting February 3, 2020, Palo Alto Networks will start publishing URLs that are categorized as grayware and cryptocurrency.  Please ensure that your Security policy rules are configured properly for these two new categories.  


What are the Palo Alto Networks test URLs for Grayware and Cryptocurrency?

The test URL for grayware is:

The test URL for cryptocurrency is:



L2 Linker



Would it be possible to get some information on how sites in the upcoming Cryptocurrency category are being categorized presently?  


Thank you,

- Steve

Community Team Member

@stevenkadish , I wish that I could provide exact details about how URL Categories are determined.. but that is a little like revealing the KFC Secret Recipe.  OK.. maybe not like that.. but if you are interested in what our URL Categorization will be like for a certain URL, you can test it your self here:


As far as the complete list of other URL Categories.. you can find them here:

Keep in mind until those NEW categories (as documented above) become active, we will not list those categories on this list.


Community Team Member

OH, and if you had any issue with what URL category a certain URL was given, you can always request a re categorization.. on that same "test a site" above, there is a Request Change link to make the request.

You also have an option to do this same thing inside of the Palo Alto Networks WebGUI Dashboard when looking at the URL Category of any URLs.

When are these new categories be available in Panorama? I was able to see them in the firewall but not in Panorama.


Thank you.

Community Team Member

From what we have been told: 

"When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. "


These should show up in Panorama just like in the Firewall inside of the Dynamic Updates. 

I would wait a week and see if they show up in Panorama..  But they should show up soon.  

L3 Networker

@stevenkadish current cryptocurrency related sites are categorized as Financial Services.  


@guillermogarciaperez You should see these in Panorama now.  The content update would have applied to Panorama as well.  We just took a look and our test Panorama has the new categories.  Can you verify your Panorama has received the content update package (#8206)?  



L0 Member



Do you know if the option of blocking grayware files is in the pipeline? Right now, it is only possible to log it

L3 Networker

@jesperc Blocking of grayware files via URL Filtering is not available as we're only able to categorize URLs.  If the URL is for downloading a grayware file, then we would categorize that as such.  And if you have your policy to block grayware, then the user would never get to the site to download the file.  


If you have WildFire, you can set it to block grayware files.  



L0 Member

@neg273 I should have been clearer as the question wasn’t related to URL filtering. We have Wildfire and I can see grayware flowing through without the option of blocking it in the firewall. So, my question was related to this feature being added. We will use the new URLs, so hopefully that will make the file block feature less relevant.


If this is already an option, can you tell me where I set it up or point me to the relevant documentation? I haven’t been able to find it.

L1 Bithead
Hello- Currently you cannot block files based upon greyware verdicts within PAN-OS; this can only be accomplished at the endpoint with Traps. HTH!
L0 Member

I added a new URL filter with Cryptocurrency and Grayware to blocked then I applied to a security Profile Group.


L0 Member

A Test page like this one  would be nice. Can PAN provide something?

L1 Bithead

Something like?


Appears it just needs to be updated with the new categories.

L0 Member

@Jeff-Behmthats it. Nice one. Thanks.

L3 Networker

@Jeff-Behm Correct!  I am working on having two new test URLs created for grayware and cryptocurrency.  As soon as I have those, I will update the FAQ and post a comment to notify everybody.  

L3 Networker

@Jeff-Behm Sorry about the delay, but here are the two new test URLs for grayware and cryptocurrency.



L0 Member

Sounds good @neg273 but have a look here the Category: Computer and Internet Info

Sounds not good.

L2 Linker



Both of the test pages are categorized as "computer-and-internet-info" as of URL DB 20191211.20247.



- Steve

L1 Bithead



In addition to Steve's note, the options for requesting re-categorization no longer includes the two categories. Is it possible Palo Alto Networks has discontinued the use of the new categories?

L3 Networker

@stevenkadish and @Moritz Sorry about that!  Having engineering look at it right now. 


@VAbrahamson We jumped the gun with the two new categories for re-categorization requests.  We removed it for the time being until we actually start publishing these two new categories.  Once we are live with these two new categories, you will see these as options for re-categorization requests.  Apologies for the confusion. 


L3 Networker

@stevenkadish and @Moritz I spoke to engineering about this.  Unfortunately, we cannot categorize these two test URLs into grayware and cryptocurrency until the system is live.  We are expected to go live in late January 2020.  Apologies for the confusion.

L0 Member

Do we have a date yet on when it is expected to go live?

L3 Networker

@sgoyal We are targeting late January for general availability.

L3 Networker

The test URLs have been published and categorized in PAN-DB:


You can now test your configured policies with the test URLs.  



-no other URLs will be published as cryptocurrency and grayware until we go live.  

-ETA to go live is late January 2020

-Grayware categorization is displaying "low risk" as well.  We are aware of this bug.  Much like malware, c2, and phishing, grayware will have no risk associated with it.


L3 Networker


Just a quick update.  The go live date for publishing content categorized with grayyware and cyrptocurrency now has an ETA of early February 2020.  Once the date has been solidified we update the "content release notes."



I've tested: and I still get computer-and-internet-info. Is it live?

L1 Bithead



Are you doing SSL decryption?


If not, it may not be keying off the entire URL and only using the "hostname" portion ( to make the categorization decision.


Perhaps it's seeing the cert exchange and pulling the hostname from there, if you aren't decrypting.

You got it right, thanks for your help.

Register or Sign-in