6.10 Ensure that URL Filtering uses the action of block or override on the URL categories


Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organizationsuch as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add "unknown" and "dynamic-dns" to this list, at the expense of some support calls on those topics.
Certain URL categories pose a technology-centric threat, such as mcommand-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Users visiting websites in these categories, many times unintentionally, are at greater risk of compromising the security of their system. Other categories, such as adult, may pose a legal liability and will be blocked for those reasons.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Navigate to Objects > Security Profiles > URL Filtering.
Set a URL filter so that all URL categories designated by the organization are listed.
Navigate to the Actions tab.
Set the action to Block.
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.

Default Value:
Not Configured

See Also


Item Details


References: 800-53|AC-4(8), 800-53|CM-6b., CSCv6|7.6, CSCv7|7.4, CSCv7|7.5

Plugin: Palo_Alto

Control ID: 7077d93255dec38f06015dc297fd305a0e9d888a975e93992e3c4402f5cf671e