Figured I'd share this here as I already have on another platform. Been using PanOS for ~8 years and came across something with URL filtering and wildcards. URL filters with wildcards will match on the front, and back of the URL(implicit), if you don't use the trailing /. What this means is *.microsoft.com doesn't just match www.microsoft.com, but also www.microsoft.com.uk. BUT, it also matches www.microsoft.com.malware.com (tested in a lab environment - feel free to test in yours) - it doesn't stop at domain 'extensions' Note - this is by design and something in PanOS release notes back to 5.x (that I was able to dig up), so nothing to open a case with PA for a bug. Not a huge issue with block lists as you'll just be blocking more than you intend to, but for allow lists - could be a bit of a problem. Worth a review of your allow lists for sure, as custom categories will be processed before pandb classification. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/url-filtering/block-and-allow-lists.html Use to indicate one or more variable subdomains. If you use * , the entry will match any additional subdomains, whether at the beginning or the end of the URL. Use a forward slash at the end of the entry if you do not want to match any additional subdomains beyond that point. Ex: *.paloaltonetworks.com matches www.paloaltonetworks.com and www.paloaltonetworks.com.uk. *.paloaltonetworks.com/ matches www.paloaltonetworks.com but not www.paloaltonetworks.com.uk.
... View more