Palo Alto: Making URL Exceptions To Your URL-Filtering Security Profiles

To make an exception for the blocked web page, there are steps available to the administrator:
  1. Determine the status and category of the blocked page
  2. Add the blocked web page to a custom URL Category (exception list)
  3. Set the URL Category to a custom URL-Filtering security profile
  4. Apply the custom URL Security profile to a firewall rule
  5. Set a date to check on the URL category and revert exceptions if status has changed

When an end-user reports that a webpage they are attempting to access is being blocked, the first step is to check the current category of the webpage. To do so, use the following resources: Virus Total and Palo Alto URL Test Page. If the webpage is listed by Palo Alto as one of the categories blocked by the UW-Madison profile in use: malware, phishing or command and control, but the webpage is known, trusted to be legitimate and comes back with a low score on VirusTotal, the Palo Alto test page has the option to request a re-categorization.

The exception URL will be added as a site in the new custom category by clicking "Add" as displayed here:

 

URL-Category.png

If the Security rule blocking the end-user is using a globally assigned URL-Filtering security profile, i.e. UW-Default or Security-Baseline-URL. The specific URL-Filtering profile will need to be "cloned" as the global profiles are not editable. (See clone button in image below)

URL-Exception-Profile-Clone

 

Once the profile has been cloned set the new URL Category to allow.

URL-Exception-Filtering-Profile2

Now that the Security Profile is available with the URL Exception it needs to be applied to a rule that matches the end-user traffic in order to be active.

Create a new rule, above the rule blocking the original attempt, with the new security profile. An example rule can be found below.

 

URL-Exception-Rule-Use

 

Once the new security profile has been applied to the new rule, click commit at the upper right and commit the changes made by you.

Commit-Changes-Made-By-Me