Managing High Risk and other Security Focused URL Categories
39793
Created On 08/04/21 17:03 PM - Last Modified 01/12/24 14:58 PM
Symptom
Blocking High-risk URL category is not recommended as many sites will temporarily be set to high risk but are not malicious.
Environment
Any firewall with URL filtering and OS >= 9.0
Resolution
For High and Medium categories the recommended action is to Alert.
- This will not block the traffic but it will log the site if there is a need to go back and see what happened.
- It is recommended to alert, enforce SSL decryption for increased visibility, set a much stricter threat prevention profile, and block downloads of dangerous files (PEs, PowerShell, etc.) from high-risk sites.
- In addition, you may wish to increase logging for additional insight.
High-risk sites include:
- Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
- Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
- Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
- Bulletproof ISP-hosted sites.
- Sites hosted on IPs from ASNs that are known to allow malicious content.
If a high-risk site is blocked then an exception list or allow list may be needed for the occasional site that does get categorized as high risk but access is still needed.
Medium-risk sites include:
- All cloud storage sites (with the URL category online-storage-and-backup).
- Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 60 days.
- Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Low-Risk
Low-Risk sites are the most common and usually will be the category seen. There is normally no reason to log these sites so allow is the recommended setting.
- Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Newly-Registered Domains
Newly registered domains are frequently malware or malicious, This is the only secondary category that should be blocked.
- Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Recommended Policy Action: Block
Additional Information
- For Palo Alto Networks best practice for configuring URL Filtering security profile, please visit: https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-filtering-best-practices