URL Filtering Categorisation Justification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Filtering Categorisation Justification

L2 Linker

Hi!

 

We're running URL filtering on our PanOS campus firewalls and I very often get asked to add domains to our 'allow list' - almost always because they're newly registered domains. On occasions we've had sites requested that fit into more serious categories - the latest being 'grayware'. These are very often personal web sites used for teaching and not intended to be malicious in any way. 

 

It would be very helpful if the reasons for categorisation could be made available - for example the website owner of the 'grayware' site above is quite willing to fix any issues with their site but doesn't know what's wrong with it. 

4 REPLIES 4

L2 Linker

You can log a ticket with TAC and ask for justification and possibly request for recategorization. Unfortunately, these process are like a black box for customers since it is all managed by Palo backend teams (like Unit42)

Cyber Elite
Cyber Elite

You might consider changing "newly registered domains" action from "block" to "continue" to allow site access if user action is involved.

 

For incorrectly categorized domain ask users to request recategorization at https://urlfiltering.paloaltonetworks.com/

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi!

 

Thanks for the suggestion although that would seem to reduce security somewhat. Although it would be handy to be able to 'tweak' the countdown from 32 days to 7 days.

 

We actually have an improved method for dealing with newly-registered-domains - we have a database driven EDL adapted from our existing IP block/allow lists. The question is really more about other riskier categories - where we're not willing to add to the allowlist without additional information.

Cyber Elite
Cyber Elite

Main issue with newly-registered-domains is malware that generates domain names using algorithm and then connects to them behind user's back.


Having continue page will block this kind of malware calling home. In case of users continue page can warn them that it is possible security risk etc.

Also you can run reports against URL log where users bypassed this page.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 2666 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!