URL Filtering & Content Inspection
URL Filtering Overview
URL filtering controls web access by categorizing URLs and applying policy based on those categories. Rather than blocking or allowing individual URLs (which is unmanageable at scale), you manage access by category — blocking gambling sites for all users, allowing business-systems for all users, and perhaps requiring a warning (continue) for social-media.
PAN-OS uses PAN-DB, a cloud-hosted URL database maintained by Palo Alto Networks. When a user navigates to a URL, the firewall checks PAN-DB for the URL category. If cached locally, the lookup is instantaneous. Uncategorized or ambiguous URLs are submitted to the cloud for real-time classification.
URL Categories
PAN-OS includes 75+ pre-defined URL categories. Some key categories for security policy:
| Category | Risk Level | Typical Policy |
|---|---|---|
| malware | Critical | Block — known malware distribution sites |
| phishing | Critical | Block — known phishing pages |
| command-and-control | Critical | Block — known C2 infrastructure |
| gambling | High | Block for corporate environments |
| hacking | High | Block — tools and techniques for attacks |
| adult | High | Block in most workplaces |
| social-networking | Medium | Alert or block depending on policy |
| streaming-media | Medium | Alert — bandwidth consumption risk |
| business-and-economy | Low | Allow |
| unknown | Variable | Alert or block — uncategorized sites |
URL Filtering Actions
| Action | User Experience | Use Case |
|---|---|---|
| allow | Page loads normally | Explicitly permit a category |
| alert | Page loads but event is logged | Monitor without blocking; review logs |
| block | User sees block page | Prohibited categories |
| continue | User sees warning; can click through | Acceptable-use acknowledgment for gray areas |
| override | User must enter password to proceed | Temporary admin bypass for restricted categories |
Custom URL Categories
Custom URL categories let you create your own lists — either explicit whitelists or blacklists — for URLs that do not fall cleanly into PAN-DB categories or where you need to override the default category.
- Whitelist: add specific URLs to ensure they are always allowed regardless of their PAN-DB category
- Blacklist: add specific URLs to block even if PAN-DB categorizes them as safe
- Wildcards supported: *.example.com covers all subdomains
- Custom categories can be referenced in URL filtering profiles and in security policy rules (URL Category field)
URL Filtering vs Security Policy URL Category
SSL/TLS Decryption
Without SSL decryption, all HTTPS traffic is a blind spot. The firewall can see the destination hostname (via TLS SNI and the certificate), but not the URL path, request body, response content, or payload. Malware delivered over HTTPS and data exfiltration over encrypted channels are invisible without decryption.
SSL Forward Proxy (Outbound)
Used for outbound HTTPS traffic: internal users browsing the internet. The firewall acts as a man-in-the-middle — intercepting the TLS session, inspecting the plaintext, and re-encrypting toward the server using a certificate signed by a trusted internal CA.
The firewall presents a dynamically generated certificate to the client, signed by your organization's root CA. Clients must trust this CA — deploy it via Group Policy or MDM to all managed endpoints.
For sites with certificate pinning (some banking apps, native mobile apps), forward proxy will break the connection. Use a decryption exclusion list for these.
SSL Inbound Inspection
Used to inspect inbound HTTPS traffic to your own servers. You upload your server's private key and certificate to the firewall. The firewall decrypts inbound traffic from the internet, inspects it for threats, and re-encrypts before forwarding to the server.
Privacy and Legal Considerations
Decryption Policy
Decryption is controlled by decryption policy rules — a separate policy table from security policy. Rules specify what to decrypt, what to exclude, and which decryption profile to use (cipher suites, protocol version enforcement, certificate validation behavior).
File Blocking
File blocking profiles control which file types can be uploaded or downloaded over inspected traffic. PAN-OS identifies files by actual type (magic bytes), not just file extension, preventing users from renaming files to bypass controls.
- Block uploads of exe, dll, msi — prevent malware installation files from being uploaded to cloud storage and retrieved later
- Block downloads of executable types from unknown or risky URL categories
- Alert on PDF, DOC/DOCX, XLS downloads from the internet for DLP visibility
- Forward files to WildFire for sandboxing instead of blocking — block on malicious verdict
Data Filtering
Data filtering profiles detect and optionally block sensitive data patterns in traffic content. PAN-OS includes built-in patterns for common sensitive data types:
| Data Pattern | Example Match | Use Case |
|---|---|---|
| Credit card numbers | 4532-xxxx-xxxx-xxxx (Luhn check) | PCI DSS compliance |
| Social Security Numbers | xxx-xx-xxxx format | US regulatory compliance |
| Custom regex patterns | Employee IDs, internal codes | Organization-specific DLP |
Data Filtering Action
Safe Search and Account Restrictions
- Safe Search Enforcement — PAN-OS rewrites search engine queries to force safe search mode on Google, Bing, YouTube, and others. Users cannot disable safe search at the browser level.
- YouTube/Google Account Restrictions — restrict YouTube to a specific G Suite domain, or enforce Google account login. Prevents personal account use on managed devices.
- These controls are applied within the URL filtering profile under the safe search options.