New Advanced URL Filtering/PANDB Category: Ransomware

cancel
Showing results for 
Search instead for 
Did you mean: 
L2 Linker

Screen Shot 2022-09-29 at 9.37.31 AM.png

Ransomware

Starting September 27, 2022, Palo Alto Networks will start publishing URLs into the newly introduced category  “Ransomware” available with content release version 8592 and above.

 

ACTION: Action will be required. Ransomware category action is set to “block” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles.

 

How is Ransomware defined?

Palo Alto Networks defines Ransomware as websites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid.

 

Will the “Ransomware” category be visible across all PAN-OS versions?

Yes, the ransomware category will be visible across all PAN-OS releases. 

 

What is the recommended action for the “Ransomware” category?

Similar to the command-and-control (C2) and malware categories, ransomware attacks pose a serious threat to users and businesses, therefore Palo Alto Networks recommends customers to keep the default action for this category set to “BLOCK”.

Note: The ransomware category action is set to “block” only for the default profile.  

 

ACTION: If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles. This applies to all versions of PAN-OS software.

 

When will the “Ransomware” category be Available?

The Ransomware category will be visible on the administrator management console from July 12th, 2022 but we will not use the category to classify web pages until September 27, 2022.  

 

When will the “Ransomware” category be functional?

Starting September 27, 2022, Palo Alto Networks will start publishing URLs that are categorized as ransomware. Please ensure that your security policy rules are configured properly for this new category.  

 

What is the Palo Alto Networks test URL for Ransomware?

The test URL for ransomware is http://urlfiltering.paloaltonetworks.com/test-ransomware

 

Does this new category impact me?

Yes. The ransomware category action is only set to “block” for the default profile. If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles.

 

Additional Information

For more information on best practices when managing URL Filtering categories, check out these resources:

URL Filtering Category Recommendations

Complete List of PAN-DB URL Filtering Categories

 

13 Comments
L0 Member

i've cheched on my firewall for the new url category, but i can't find on the url list, the update is installed.

L1 Bithead

Is this new category only available with the advance URL subscription?  

L2 Linker

any update on two questions above? can't see the category either and would like to know if related to advanced URL subscription. We have that license but can't see it on panorama to edit policies......some advice on this matter would be helpful! Thanks.

L2 Linker

ahh looks like i had to have the very latest signature....was running 8590-7462 before updating to 8592-7467 on Panorama and i can see the category now in URL filtering profile.

L0 Member

This morning the new category comes out, i think it's related with the instllation of the version 7467 of the application

L2 Linker

What URL categories would these URLs have previously been categorised as?

Also, what URL categories will these URLs be categorised as without the Advanced URL Filtering licence?

L1 Bithead

This new URL category is available for Advanced and standard PANDB subscribers.  Thats good news!  I thought it was only going to be available in the Advanced subscription.

L1 Bithead

Please , PANW can confirm us if this URL Category will be applicable with PAN-DB URL Filtering standard license? 

L0 Member

Why did Palo Alto released this update on PANOS and set it to "Allow" instead of "Block" by default? Can you make changes on your next update to set it to "Block" so we don't to manually our URL filtering? I hope Palo Alto will address this concern. Thank you!

L3 Networker

As I had the same concern and I always like to by prepared, please check this helper Tool, to avoid manual changes in specific if you have a huge Panorama configuration file, with a big amount of url-filtering SecurityProfiles:

https://github.com/PaloAltoNetworks/pan-os-php

pan-os-php type=securityprofile in=api://MGMT-IP location=any securityProfileType=url-filtering 'filter=(allow has ransomware)' actions=url-filtering-action-set:block,ransomware

My recommendation is use PAN-OS-PHP Docker Container:
https://github.com/PaloAltoNetworks/pan-os-php/blob/main/READMEdocker.md#deploy-pan-os-php-with-dock...

L2 Linker

Ransomware category is included with both PANDB and Adv URL filtering license. 

L0 Member

I was curious on opinions about how to test this new category for false positives. Is everyone just setting it to block in their labs and then running it against critical domains?

 

Also, is this category going to be mostly populated with URLs that are shifted over from existing categories - like malware?

 

Thanks.

L1 Bithead

@tcervellione I wouldn't worry about false positives. These can be managed far easier than actual ransomware attacks. 😉

Register or Sign-in
Labels