Understanding URL Filtering Order / URL Filtering Precedence

I was searching high and low for URL Filtering Order / URL Filtering Precedence when trying to understand how to override an incorrect URL learned from an External Dynamic List. It took the help of our Designated Engineer to get a full and complete answer. I thought I would share the info here so others may benefit as well.

This is based off of the following:

• URL FILTERING ORDER: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
• PANOS 8.0 Documentation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/url-filtering/url-filtering-concepts...
• Comments from our Designated Engineer on case 01012895.

Starting with the different sources of URL Filtering Data, the precendence is from the top down - First Match Wins:

1. Block list
   • Manually entered blocked URLs
   • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Block List
2. Allow list
   • Manually entered allowed URLs
   • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Overrides -> Allow List
3. Custom Categories
   • User-defined Custom URL Categories 
   • Objects -> Custom Objects -> URL Category -> <URL Category Object>
4. Cached
   • Cached = URLs learned from External Dynamic Lists (EDLs) 
   • Objects -> External Dynamic Lists -> Dynamic URL Lists -> <Dynamic URL List Object>
5. Pre-Defined Categories
   • PAN-DB or Brightcloud "canned" / "out of the box" categories.
   • Objects -> Security Profiles -> URL Filtering -> <URL Filtering Object> -> Categories

So, what happens when we get two or more valid answers, all at the same level of precendence? No problem - We have a list for that too! The list below includes the actions and a short explanation of the action from the PANOS 8.0 documentation. Just as before, precedence is from the top down - First Match Wins:

1. Block
   • The website is blocked and the user will see a response page and will not be able to continue to the website. A log entry is generated in the URL filtering log.
2. Override
   • The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security admin or helpdesk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL filtering log.
3. Continue
   • The user will be prompted with a response page indicating that the site has been blocked due to company policy, but the user is prompted with the option to continue to the website. The continue action is typically used for categories that are considered benign and is used to improve the user experience by giving them the option to continue if they feel the site is incorrectly categorized. The response page message can be customized to contain details specific to your company. A log entry is generated in the URL filtering log.
4. Alert
   • The website is allowed and a log entry is generated in the URL filtering log.
5. Allow
   • The website is allowed and no log entry is generated.

Thats it - hope this is useful!