What is the recommended action for high-risk category URLs?

What is the recommended action for high-risk category URLs?

28017
Created On 07/05/22 15:07 PM - Last Modified 08/29/22 20:27 PM


Question


What is the recommended action for URLs with a benign category and a "High" risk category?

Environment


  • Palo Alto Firewall with a valid URL Filtering License
  • PAN-OS 9.1 and above

Answer


The "high-risk" category is a non-malicious category that serves as an indicator of a URL's recent malicious associations. Since it is a non-malicious category, it is not recommended to block access to URL's/domains categorized as high-risk.

The “Best Practices Guidelines” for configuring an URL Filtering profile state the following 11 categories should be set to the block action:

  • command-and-control
  • copyright-infringement
  • dynamic-dns
  • extremism
  • malware
  • phishing
  • proxy-avoidance-and-anonymizers
  • unknown
  • newly-registered-domain
  • grayware
  • parked

Create Best Practice Security Profiles for the Internet Gateway
https://docs.paloaltonetworks.com/best-practices/10-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles.html

The guidelines also state the remaining categories should be set to Alert.
-Excerpt from the link above:

“In addition to blocking known bad categories, alert on all other categories, so you have visibility into the sites your users are visiting”


The action of alert also applies to the “High-risk" category since it is a non-malicious category based on our recommended best practices. The following link explains why the action of alert is recommended for “High-risk" category URLs.

Managing High Risk And Other Security Focused Url Categories
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMOjCAM

-Excerpts from the URL above:

“Blocking High-risk URL category is not recommended as many sites will temporarily be set to high risk but are not malicious.”
…
“If a high-risk site is blocked then an exception list or allow-list may be needed for the occasional site that does get categorized as high risk but access is still needed.”


If it is an organization's policy to block the “High-risk" URL category, then it is recommended that they configure a custom URL category object to bypass the PanDB category for the URL.

Create a Custom URL Category
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/custom-url-categories.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkr2CAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language