Advanced URL Filtering

Best-in-Class Web Protection

Palo Alto Networks | Advanced URL Filtering | Datasheet 1

Safeguarding the Web in Real Time
As applications move to the cloud and people work from anywhere, it’s becoming more important—
and more difficult—to secure the web. Web-based attacks like phishing and fileless attacks are com-
ing at higher volume, greater speed, and increased sophistication, yet many web security solutions
only ­depend on databases of known malicious webpages that are quickly overrun by the hundreds of
­thousands of new threats created every day.
Palo Alto Networks Advanced URL Filtering provides best-in-class web protection for the m ­ odern
enterprise. Bringing t­ ogether the best of both worlds, Advanced URL Filtering combines our­r­ enowned
malicious URL database capabilities with the industry’s first real-time web protection engine
­powered by deep learning. Now, you can automatically detect and prevent new malicious and targeted
­web-based threats instantly. Welcome to real-time protection.

12
40% 88% Million+

more web-based of malicious URLs new malicious

threats prevented than detected at least URLs blocked
traditional web 48 hours before in the last year
filtering databases other vendors

Advanced URL Filtering Prevents Attacks Others Don’t

Figure 1: Advanced URL Filtering detects the most damaging web-based attacks
aimed at enterprise networks today

The Advanced URL Filtering D

­ ifference
Built in the cloud, Advanced URL Filtering is a subscription service that works natively with your Palo
Alto Networks Next-Generation Firewall (NGFW) to secure your network against web-based threats
such as phishing, malware, ransomware, and command and control (C2).
Advanced URL Filtering uses Palo Alto Networks patent-pending inline deep learning technology to
analyze URLs in real time and classify them into benign or ­malicious categories, which you can easily
build into your NGFW policy for total control of web traffic. These c
­ ategories trigger complementary
capabilities across the NGFW platform, enabling additional ­­layers of protection, such as targeted SSL
decryption and advanced logging. Alongside its own analysis, Advanced URL Filtering uses shared
threat information from Palo Alto Networks industry-leading malware prevention service, Advanced
WildFire and other sources to automatically update protections against malicious sites. Advanced URL
Filtering delivers:
• Superior protection against web-based attacks with the combined power of our URL database stop-
ping known threats and a cloud-delivered web security engine powered by machine learning that
categorizes and blocks new malicious URLs in real time, even when content is cloaked from crawlers.
Advanced URL Filtering prevents 40% more threats than traditional web filtering databases.
• Industry-leading phishing protections that tackle the most common causes of breaches.
• Total control of your web traffic through fine-grained controls and policy settings that enable you to
automate security actions based on users, risk ratings, and content categories.
• Maximum operational efficiency by enabling web protection through the Palo Alto Networks platform.

Advanced URL Filtering | Datasheet 2

 Business Benefits
• Inline protection. Protection from new and unknown web-based attacks in less than 100 milliseconds to prevent patient zero.
• Detect evasive and targeted attacks. ­Increase detection of evasive and targeted attacks by detecting real web traffic and
not web crawler data.
• Cloud-native service. Designed to expand and scale capabilities over time.
• Leverage consistent security policies and ­capabilities. Deploy Advanced URL Filtering with hardware appliances, on virtual
environments, or in the cloud with the same set of policies and s
­ ecurity consistently applied.
• Eliminate security silos and keep users safe. We can help you attain proper security posture 30% faster compared to
point solutions.
• Minimize operational expenditure. Palo Alto Networks Cloud-Delivered Security Services ­reduce the need for standalone
solutions, saving US$9.9 million over three years.1
• Safeguard against phishing. Layers of prevention protect your organization from known and brand-new phishing sites by
­stopping credential phishing in real time.
• Support regulatory compliance and ­a­cceptable use. Ensure your organization stays c
­ ompliant with internal, industry, and
­government ­regulatory policies.

Key Capabilities
Inline Protection from New Malicious W
­ ebpages
At Palo Alto Networks, we saw a 127% increase in malicious webpages from 2019 to 2021.2 With so many
new threats, practically every one of them has never been seen before when it hits your network.
In addition, 40% of malicious URLs come from legitimate ­domains,3 as adversaries look to embed
threats in websites that have largely been deemed trustworthy. URLs change from benign to malicious
frequently, and unless your solution is constantly analyzing them, that leaves you exposed. Modern
organizations can no longer depend solely on static or slow-to-update databases to keep pace. A new
approach is necessary.
Advanced URL Filtering takes web protection to the next l­ evel with the ability to detect and block new
threats in real time, preventing patient zero. Cloud-based inline ML performs real-time web analysis of
real web traffic instead of web crawler data, categorizing and blocking malicious URLs in milliseconds—
before they have a chance to infect your o­ rganization. Our ML models are retrained frequently, ensuring
the most up-to-date detection intelligence against new web-based threats. Meanwhile, our extensible
cloud-based architecture ensures you can take advantage of the latest innovative detection modules on
the fly without going through a painful update process.
It’s time to move beyond the overreliance on offline crawling and databases that take too long to update.
Advanced URL Filtering takes that step, delivering the industry’s first inline web protection engine capa-
ble of detecting never-before-seen web-based threats and preventing them in real time.

Anti-Evasion
Modern adversaries have evolved to avoid security measures, and now 90% of phishing kits sold on the
dark web include at least one type of evasive technique.4 The most common of these techniques, called
cloaking, capitalizes on the fact that many web security solutions rely solely on offline crawling of
webpage content to determine whether a threat exists. ­Attackers may actively block connections from
specific IP a
­ ddresses and hosts they know to be security companies or reroute them to benign content.
Advanced URL Filtering goes beyond webpage crawling to a ­ nalyze live web content, disrupting
­attackers and identifying the true nature of malicious sites hiding b
­ ehind evasive techniques.

1. The Total Economic Impact™ of Palo Alto Networks for Network Security and SD-WAN, Forrester, January 2021,
https://start.paloaltonetworks.com/2021-forrester-tei-report-network-security.html.
2. Observed by Palo Alto Networks systems, 2019–2021.
3. 2019 Webroot Threat Report, Webroot, February 22, 2019,
https://www-cdn.webroot.com/9315/5113/6179/2019_Webroot_Threat_Report_US_Online.pdf.
4. “6 Phishing Techniques Driven by the Phishing-as-a-Service Industry,” Cyren Security Blog, July 1, 2019,
https://www.cyren.com/blog/articles/evasive-phishing-driven-by-phishing-as-a-service.

Advanced URL Filtering | Datasheet 3

Phishing Protection
One of the oldest tricks in the book, phishing continues to pose a challenge
­­ Operational Benefits
for enterprise organizations. A new phishing site launches every 20 The Advanced URL Filtering subscription
­seconds,5 and phishing constitutes more than 80% of reported security enables you to:
incidents6 as well as 22% of successful breaches.7
• Benefit from shared intelligence. Take
Phishing is a constant threat, with new phishing sites able to be set up and taken advantage of best-in-class web security
down in seconds. With Advanced URL Filtering, you’re protected from millions with easy-to-use ­application- and user-
of known phishing pages, but it’s also critical to detect new phishing pages based ­policies, alongside tight integration
instantly and accurately before they can claim their first victim. We incorporate with Advanced Threat Prevention and
layers of innovative detection capabilities to provide the most comprehensive Advanced WildFire .
phishing protection available, including:
• Maintain total control over web traffic.
• Inline ML-based web content analysis for real-time detection of Use URL categories to automatically
­never-before-seen and highly evasive phishing attacks trigger advanced s ­ ecurity actions, such
• The industry’s only real-time credential theft prevention as selective TLS/SSL ­decryption for
­suspicious sites.
• ML-based image analysis
• Automate your security. Save time as policy
• Static and dynamic analysis
is applied to URL categories automatically,
• Deep recursive analysis requiring no analyst intervention.
• Deep learning convolutional neural networks (CNN) model • Gain insight into user and URL ­activity.
• Append attack detection Enable your IT department to gain ­visibility
• ML-powered domain analysis into URL ­filtering and related web ­activity
through a set of predefined or fully
• Deobfuscating JavaScript engine
­customized reports.
• Phishing redirection chain analysis
• Fake CAPTCHA interaction analysis

Total Control of Web Traffic

Web policy is simply an extension of your firewall policy. Your Palo Alto Networks NGFW uses Advanced
URL ­Filtering to identify URL categories, assign risk ratings, and apply consistent policy. Multiple URL
categories and risk ratings can be combined in nuanced policies, allowing for precise exception-based
enforcement, simplified management, and granular control of web traffic through a single policy set.
You can block dangerous sites that may be used in phishing attacks, exploit kit delivery, or C2 while still
allowing e­ mployees the freedom to access web resources they need for business purposes.

Operational Efficiency
Reduce the total cost of your security stack and maximize ­operational efficiency by enabling web
protection through the Palo Alto Networks platform. Because of its cloud architecture, Advanced URL
Filtering eliminates the need to deploy and manage additional appliances for web protection—you
simply turn it on through the NGFW. Our Cloud-Delivered Security Services reduce the need for
standalone solutions, saving US$9.9 million over three years and reducing risk by 45%.8 Using a
­platform where each security capability ­enhances the next, you can achieve proper security posture
30% faster compared to point solutions.9

The Power of Palo Alto Networks Security ­Subscriptions

Today, cyberattacks have increased in volume and sophistication, using advanced techniques to bypass
network s­ ecurity devices and tools. This challenges organizations to protect their networks without
increasing workloads for s ­ ecurity teams or hindering business productivity. ­Seamlessly i­ ntegrated with
our industry-leading NGFW platform, our cloud-delivered security subscriptions coordinate intelligence
and provide protections across all attack vectors, providing best-in-class functionality while eliminating
the coverage gaps disparate network security tools create. Take advantage of market-­leading c ­ apabilities
with the consistent experience of a platform and secure your organization against even the most
­advanced and evasive threats. Benefit from A ­ dvanced URL ­Filtering or any of our security subscriptions.

5. Mobile Threat Landscape Report 2020, Wandera, accessed May 6, 2021, https://www.wandera.com/mobile-threat-landscape.
6. “Top cybersecurity facts, figures and statistics,” CSO from IDG, March 9, 2020,
https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html.
7. 2020 Data Breach Investigations Report, Verizon, accessed May 3, 2021, https://enterprise.verizon.com/resources/reports/dbir.
8. Forrester Total Economic Impact study.
9. Andy Elder, “Managing Risks and Resources to Lower Your Cybersecurity TCO,” accessed January 26, 2022,
https://www.paloaltonetworks.com/cxo-perspectives/managing-cybersecurity-TCO.

Advanced URL Filtering | Datasheet 4

 Table 1: Palo Alto Networks Cloud-Delivered Security Services
Service Description
Stop known exploits, malware, spyware, and command-and-control (C2) threat, while utilizing
Advanced Threat
­industry-first prevention of zero-day attacks. Prevent 60% more unknown injection attacks and 48%
­Prevention
more highly evasive command-and-control traffic than traditional IPS solutions.
Ensure files are safe by automatically preventing known, unknown, and highly evasive malware 60x
Advanced WildFire
­faster with the industry-largest threat intelligence and malware prevention engine.
Ensure safe access to the internet and prevent 40% more web-based attacks with the industry’s first
Advanced URL Filtering real-time prevention of known and unknown threats, stopping 88% of malicious URLs at least 48 hours
before other vendors.
Gain 40% more threat coverage and stop 85% of malware that abuses DNS for command and control and
DNS Security
data theft, without requiring changes to your infrastructure.
Minimize risk of a data breach, stop out-of-policy data transfers, and enable compliance consistently
Enterprise DLP
across your enterprise with 2x greater coverage of any cloud-delivered enterprise DLP.
The industry’s only Next-Generation CASB natively integrated into Palo Alto Networks SASE o ­ ffers
SaaS Security ­proactive SaaS visibility, comprehensive protection against misconfigurations, real-time data
­protection, and best-in-class security.
Safeguard every “thing” and implement Zero Trust device security 20x faster with the industry’s
IoT Security
­smartest security for smart devices.
AIOps for NGFW redefines firewall operational experience by empowering security teams to proactively
AIOps
strengthen security posture and resolve firewall disruptions.

Unit 42 Threat Intelligence

PN
Unified management Simplified operations

WF DNS DLP IoT

Stop 60% more 60x faster Stop 40% 40% more Leading API 2x more 90% devices
zero-day exploits verdicts more threats threat coverage security for SaaS coverage in 48 hours

Known, unknown, Consistent prevention

and evasive threats everywhere in seconds

NGFW (PA, VM, CN) Prisma SASE Prisma Cloud Cortex XDR

Devices Users Applications Data

Figure 2: Palo Alto Networks Cloud-Delivered Security Services

Advanced URL Filtering | Datasheet 5

 Table 2: Advanced URL Filtering Features
Feature Description
Uses cloud-based inline ML to analyze real web traffic, categorizing and blocking malicious URLs in real
Inline Real-Time Web
time. ML models are retrained frequently, ensuring protection against new and evolving never-­before-
Threat Prevention
seen threats (e.g., phishing, exploits, fraud, C2).
Anti-Evasion Measures Protects against evasive techniques such as cloaking, fake CAPTCHAs, and HTML character encoding.
Maintains hundreds of millions of known malicious and benign URLs categorized through a combination
URL Database
of static, dynamic, machine learning, and human analysis.
Classifies websites based on site content, features, safety, and includes more than 70 benign and mali-
Content Categories
cious content categories.
Scores URLs on a variety of factors to determine risk. These security-focused URL categories can help
Risk Ratings you reduce your attack surface by providing targeted decryption and enforcement for sites that pose
varying levels of risk but are not confirmed malicious.

Categorizes a URL with up to four categories, allowing for flexible policy and the creation of custom
Multicategory Support
categories.

Lets you tailor categories and policies to your organization’s needs. Although Advanced URL F ­ iltering
utilizes a defined set of categories, different organizations may have different needs around risk
Custom Categories
­tolerance, compliance, regulation, or acceptable use. To meet your requirements and fine-tune policies,
administrators can create new custom categories by combining multiple existing categories.
Detects and prevents credential theft by controlling sites to which users can submit corporate credentials
Real-Time Credential Theft based on the site’s URL category. This allows you to block users from submitting credentials to untrusted
Protection sites in real time while still allowing users to only submit credentials to corporate and sanctioned sites with
zero false positives.
Uses ML models to analyze images in webpages to determine whether they are imitating brands
Phishing Image Detection
­commonly used in phishing attempts.
Allows you to designate multiple policy action types based on URL categories or criteria. Beyond simply
Criteria Matching blocking or allowing sites, policy examples may include selective SSL decryption, advanced logging,
blocking downloads, or preventing credential submission.
Helps you further reduce risk with targeted decryption. Policies can be established to selectively decrypt
TLS/SSL-encrypted web traffic, maximizing visibility into potential threats while keeping you compliant
with data privacy regulations. Specific URL categories (e.g., social networking, web-based email, content
delivery networks) can be designated for decryption while transactions to and from other types of sites
Selective SSL Decryption
(e.g., those of governments, banking institutions, healthcare providers) can be designated to remain
encrypted. You can implement simple policies that enable decryption for applicable content categories
with high or medium risk ratings. Selective decryption enables optimal security posture while respecting
confidential traffic parameters set by company policies or external regulations.
Applies Advanced URL Filtering policies to URLs that are entered into language translation websites (e.g.,
Translation Site Filtering
Google Translate) as a means of bypassing policies.
Search Engine Cached Applies Advanced URL Filtering policies when end users attempt to view the cached results of web
­Results Prevention searches and internet archives.
Allows you to prevent inappropriate content from appearing in users’ search results. With this feature
Safe Search Enforcement enabled, only Google, Yandex, Yahoo, or Bing searches with the strictest safe search options set will be
allowed, and all other searches can be blocked.
Enables administrators to notify users of a violation using a custom block page. These pages may include
Customizable End-User
options to present a warning and allow the user to continue or require a configurable password that
Notifications
creates a policy exception.
Multilingual Support Supports crawling and analysis in 41 languages.
Provides visibility into Advanced URL Filtering and related web activity through a set of predefined or
Reporting
fully customized Advanced URL Filtering reports.

Advanced URL Filtering | Datasheet 6

 Table 3: Privacy and Licensing Summary
Privacy with Advanced URL Filtering Subscription

Palo Alto Networks has strict privacy and security controls in place to prevent unauthorized access to
Trust and Privacy sensitive or personally identifiable information. We apply industry-standard best practices for security
and confidentiality. You can find further information in our privacy datasheets.
Licensing and Requirements

To use the Palo Alto Networks Advanced URL Filtering subscription, you will need Palo Alto Networks
Requirements Next-Generation Firewalls running PAN-OS 9.0 or later. Real-time web analysis is only supported on
PAN-OS 10.2 Nebula and later.
Use Advanced URL Filtering with Palo Alto Networks Next-Generation Firewalls deployed in any
Recommended
­internet-facing location, as ransomware, malware, grayware, phishing, credential theft, and C2 require
­Environment
external connectivity.
Advanced URL Filtering requires a standalone license, delivered as an integrated, cloud-based
Advanced URL Filtering
subscription for Palo Alto Networks Next-Generation Firewalls. It can also be available as part of an
License
Enterprise Licensing Agreement or Software NGFW Credits.

3000 Tannery Way © 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 parent_ds_advanced-url-filtering_110922
Support: +1.866.898.9087

www.paloaltonetworks.com