Doubt about Custom URL category

A.FelixMarquesLobato · ‎06-19-2026

Hi everyone,

i have a doubt about Custom URL category. Is the entry li^.paloaltonetworks.com matches live.paloaltonetworks.com?

DanielS.Romero · ‎06-19-2026

Hello @A.FelixMarquesLobato

Thanks for the queries,

The short answer is no, the entry li^.paloaltonetworks.com will not match live.paloaltonetworks.com in a custom URL category.

Palo Alto Networks custom URL categories do not support regular expressions. When using wildcards like * (asterisk) or ^ (caret) in custom URL category entries, the wildcard character must be the only character within a token.

For example, example*.com is an invalid entry because example and the asterisk * are in the same token "Asterisk and the URL domain/subdomain together example*.com". Similarly, li^.paloaltonetworks.com is an invalid wildcard entry because li and ^ are part of the same token "Caret and the URL domain/subdomain together li^.paloaltonetworks.com".

The ^ wildcard is used to indicate exactly one variable subdomain. For an entry like ^.paloaltonetworks.com, it would match live.paloaltonetworks.com because live represents a single subdomain . However, the specific entry li^.paloaltonetworks.com is not a valid wildcard pattern due to the placement of the caret within a token.

Best Practices and Differences Asterisk * And Caret ^ For Custom URL Categories And EDLs:

- Asterisks *match a greater range of URLs than carets ^ because an asterisk matches any number of consecutive tokens, while a caret matches exactly one token.

Examples Asterisk and Caret URL matching:

*.domain.com matches docs.domain.com and abc.xyz.domain.com
^.domain.com matches docs.domain.com and blog.domain.com, but notabc.xyz.domain.com(because it has two subdomains on the left side, not just one that represent the caret symbol) and domain.com (because it lacks a subdomain at the left side)

- A caret ^cannot be used after a trailing slash (e.g., example.com/^ is invalid).

- Avoid creating entries with consecutive asterisks (**) or more than nine consecutive carets (^^^^^^^^^^) as these can severely affect firewall performance.

- In PAN-OS 9.1 and above, both * and ^ operators can be used simultaneously as wildcards within the same URL configuration.

- By default, the firewall automatically appends a trailing slash (/) to domain entries that do not end in a trailing slash or asterisk. This prevents the firewall from assuming an implicit asterisk at the end, which could inadvertently match more URLs than intended.

- List entries are case-insensitive, Omit http:// and https:// from URL entries, Each URL entry can be up to 255 characters in length.

Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful answer; it would help me a lot!

Daniel Romero
Senior Network/Security Engineer
PANW Partner

View solution in original post

DanielS.Romero · ‎06-19-2026

Hello @A.FelixMarquesLobato

Thanks for the queries,

The short answer is no, the entry li^.paloaltonetworks.com will not match live.paloaltonetworks.com in a custom URL category.

Palo Alto Networks custom URL categories do not support regular expressions. When using wildcards like * (asterisk) or ^ (caret) in custom URL category entries, the wildcard character must be the only character within a token.

For example, example*.com is an invalid entry because example and the asterisk * are in the same token "Asterisk and the URL domain/subdomain together example*.com". Similarly, li^.paloaltonetworks.com is an invalid wildcard entry because li and ^ are part of the same token "Caret and the URL domain/subdomain together li^.paloaltonetworks.com".

The ^ wildcard is used to indicate exactly one variable subdomain. For an entry like ^.paloaltonetworks.com, it would match live.paloaltonetworks.com because live represents a single subdomain . However, the specific entry li^.paloaltonetworks.com is not a valid wildcard pattern due to the placement of the caret within a token.

Best Practices and Differences Asterisk * And Caret ^ For Custom URL Categories And EDLs:

- Asterisks *match a greater range of URLs than carets ^ because an asterisk matches any number of consecutive tokens, while a caret matches exactly one token.

Examples Asterisk and Caret URL matching:

*.domain.com matches docs.domain.com and abc.xyz.domain.com
^.domain.com matches docs.domain.com and blog.domain.com, but notabc.xyz.domain.com(because it has two subdomains on the left side, not just one that represent the caret symbol) and domain.com (because it lacks a subdomain at the left side)

- A caret ^cannot be used after a trailing slash (e.g., example.com/^ is invalid).

- Avoid creating entries with consecutive asterisks (**) or more than nine consecutive carets (^^^^^^^^^^) as these can severely affect firewall performance.

- In PAN-OS 9.1 and above, both * and ^ operators can be used simultaneously as wildcards within the same URL configuration.

- By default, the firewall automatically appends a trailing slash (/) to domain entries that do not end in a trailing slash or asterisk. This prevents the firewall from assuming an implicit asterisk at the end, which could inadvertently match more URLs than intended.

- List entries are case-insensitive, Omit http:// and https:// from URL entries, Each URL entry can be up to 255 characters in length.

Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful answer; it would help me a lot!

Daniel Romero
Senior Network/Security Engineer
PANW Partner

Unlock your full community experience!

Doubt about Custom URL category

Doubt about Custom URL category

Show your appreciation!