This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

DanielS.Romero
L2 Linker

‎06-19-2026 08:33 AM - edited ‎06-19-2026 08:35 AM

Hello @A.FelixMarquesLobato 

Thanks for the queries,

The short answer is no, the entry li^.paloaltonetworks.com will not match live.paloaltonetworks.com in a custom URL category.

Palo Alto Networks custom URL categories do not support regular expressions. When using wildcards like * (asterisk) or ^ (caret) in custom URL category entries, the wildcard character must be the only character within a token.

For example, example*.com is an invalid entry because example and the asterisk * are in the same token "Asterisk and the URL domain/subdomain together example*.com". Similarly, li^.paloaltonetworks.com is an invalid wildcard entry because li and ^ are part of the same token "Caret and the URL domain/subdomain together li^.paloaltonetworks.com".

The ^ wildcard is used to indicate exactly one variable subdomain. For an entry like ^.paloaltonetworks.com, it would match live.paloaltonetworks.com because live represents a single subdomain . However, the specific entry li^.paloaltonetworks.com is not a valid wildcard pattern due to the placement of the caret within a token.

Best Practices and Differences Asterisk  * And Caret ^ For Custom URL Categories And EDLs:

- Asterisks *match a greater range of URLs than carets ^ because an asterisk matches any number of consecutive tokens, while a caret matches exactly one token.

Examples Asterisk and Caret URL matching:

*.domain.com matches docs.domain.com and abc.xyz.domain.com
^.domain.com matches docs.domain.com and blog.domain.com, but notabc.xyz.domain.com(because it has two subdomains on the left side, not just one that represent the caret symbol) and domain.com (because it lacks a subdomain at the left side)

A caret ^cannot be used after a trailing slash (e.g., example.com/^ is invalid).

- Avoid creating entries with consecutive asterisks (**) or more than nine consecutive carets (^^^^^^^^^^) as these can severely affect firewall performance.

- In PAN-OS 9.1 and above, both * and ^ operators can be used simultaneously as wildcards within the same URL configuration.

- By default, the firewall automatically appends a trailing slash (/) to domain entries that do not end in a trailing slash or asterisk. This prevents the firewall from assuming an implicit asterisk at the end, which could inadvertently match more URLs than intended.

- List entries are case-insensitive, Omit http:// and https:// from URL entries, Each URL entry can be up to 255 characters in length.


Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful answer; it would help me a lot!


Daniel Romero
Senior Network/Security Engineer
PANW Partner

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks