Add Access rules for category-based URL filtering

Use category-based URL filtering in IPv4 or IPv6 Access rules in a Firewall Policy, IPS Policy, Layer 2 Firewall Policy, or Layer 2 Interface Policy to define which traffic is logged or blocked when a URL match is found.

Before you begin

Category-based URL filtering requires that the engine is licensed to use the ThreatSeeker categorization service. You must also define DNS server addresses in the NGFW Engine elements so that the engines can send categorization requests to ThreatSeeker.

  For more details about the product and how to configure features, click Help or press F1.


  1. Right-click a policy and select Edit <policy type>.
  2. On the IPv4 Access or IPv6 Access tab, add a rule.
    Tip: As a general guideline, we recommend placing rules that allow traffic above rules that block traffic.
  3. Drag and drop elements from the Resources pane on the left to the Source and Destination cells.
  4. Add URL Category or URL Category Group elements for category-based URL filtering in one of the following ways:
    • Drag and drop one or more elements from the Resources pane on the left to the Service cell.
    • Add elements to the Service definition.
    When you use URL Category Group elements in a rule, the rule matches if any of the URL Categories in the group match.
  5. In the Action cell, select the action depending on the purpose of the rule.
    • To allow matching traffic, select Allow.
    • To block matching traffic, select Discard.
  6. (Optional) In the Logging cell, configure the logging options for the rule.
  7. Click Save and Install.

Next steps

If you want to make exceptions to the category-based URL filtering, add rules to manually block or allow URL List Applications.