How to restrict user access to specific URLs without the use of SSL decryption in the URL filtering profile?

How to restrict user access to specific URLs without the use of SSL decryption in the URL filtering profile?

521
Created On 10/02/25 16:27 PM - Last Modified 01/30/26 23:32 PM


Objective


How to restrict user access to specific URLs without the use of SSL decryption in the URL filtering profile?

Environment


  • Next Gen Firewalls (NGFW)
  • Supported PAN-OS
  • SSL Decryption
  • URL Filtering

Procedure


  • If using SSL Decryption is not Possible. An alternative method can be used.
  • As it is known, DNS traffic will traverse before HTTP.
  • An alternative option is DNS Security. This option can be used if the category of the URL in question is not present in the DNS Security Policy.

    1. Create an EDL object under Object > External Dynamic Lists >  Add
     
  1. Add the name of the EDL object and select Domain List under Type
     

 

  1. Add the source URL where the EDL object will feed from 

 

  1.  Choose alternative options such as Server Authentication / Check for updates, and click OK  
  2. Add the EDL under Anti-Spyware >Select the Anti-Spyware Profile or Create a new one by clicking in 'Add" > DNS Policy > External dynamic list and select the action drop or sinkhole
  3. Click OK, and then Commit.

Additional Information


Policy Object: External Dynamic Lists
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TO03KAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail