Palo Alto: Making URL Exceptions To Your URL-Filtering Security Profiles
To make an exception for the blocked web page, there are steps available to the administrator:
When an end-user reports that a webpage they are attempting to access is being blocked, the first step is to check the current category of the webpage. To do so, use the following resources: Virus Total and Palo Alto URL Test Page. If the webpage is listed by Palo Alto as one of the categories blocked by the UW-Madison profile in use: malware, phishing or command and control, but the webpage is known, trusted to be legitimate and comes back with a low score on VirusTotal, the test page has the option to request a re-categorization.
The exception URL will be added as a site in the new custom category by clicking "Add" as displayed here:
If the Security rule blocking the end-user is using a globally assigned URL-Filtering security profile, i.e. UW-Default or Security-Baseline-URL. The specific URL-Filtering profile will need to be "cloned" as the global profiles are not editable. (See clone button in image below)
Once the profile has been cloned set the new URL Category to allow.
Now that the Profile is available with the URL Exception it needs to be applied to a rule that matches the end-user traffic in order to be active.
Create a new rule, above the rule blocking the original attempt, with the new security profile. An example rule can be found below.
Once the new security profile has been applied to the new rule, click commit at the upper right and commit the changes made by you.