How to whitelist or blacklist in URL Filtering in PANOS 9.0.x and above
67271
Created On 02/13/21 20:40 PM - Last Modified 07/26/22 01:58 AM
Objective
- Whitelist or blacklist in URL Filtering using PANOS 9.0.x and above versions
- Release versions earlier than PAN-OS 9.0 allowed you to configure URL Filtering Overrides to create exceptions to URL category enforcement.
- In PAN-OS 9.0, the URL Filtering profile Overrides tab, where you would configure these block and allow lists, no longer exists.
Environment
- Palo Alto Firewalls
- PANOS 9.0.x, 9.1.x and 10.0.x
- URL Block List configuration.
Procedure
To configure exceptions to URL categories
- Create a custom URL category under GUI: Objects > Custom Objects > URL Category
- Any URL Filtering overrides that you configured before upgrading to PAN-OS 9.0 are now converted to custom URL Categories. For more details on these changes, see Multi-Category URL Filtering
- Custom URL object will show in URL Filtering (GUI: Object > Security Profiles > URL Filtering)
- As default, URL category objects will have NONE as Action in URL Filtering
- Change action from NONE to BLOCK or ALLOW as needed
- If you had URL Filtering overrides configured before upgrading to PAN-OS 9.0, there are three issues you might see after the upgrade. Each has a workaround that you might consider implementing
- See workarounds in Upgrade/Downgrade Considerations for PANOS 9.0.x
- Commit the changes
-
When the URL category is used in security profile that belongs to a security policy, the traffic that matches url will be denied or permitted based on the configuration
Additional Information
Overrides tab in URL filtering missing after the upgrade.