URL Filtering Overview
Use the URL filtering feature to control the websites that users on your network can access:
-
Category and reputation-based URL filtering—With a URL Filtering license, you can control access to websites based on the URL’s general classification (category) and risk level (reputation). This is the recommended option.
-
Manual URL filtering—With any license, you can manually specify individual URLs, groups of URLs, and URL lists and feeds to achieve granular, custom control over web traffic. For more information, see Manual URL Filtering.
See also Security Intelligence, a similar but different feature for blocking malicious URLs, domains, and IP addresses.
About URL Filtering with Category and Reputation
With a URL Filtering license, you can control access to websites based on the category and reputation of requested URLs:
-
Category—A general classification for the URL. For example, ebay.com belongs to the Auctions category, and monster.com belongs to the Job Search category.
A URL can belong to more than one category.
-
Reputation—How likely the URL is to be used for purposes that might be against your organization’s security policy. Reputations range from Unknown risk (level 0) or Untrusted (level 1) to Trusted (level 5).
Benefits of Category and Reputation-Based URL Filtering
URL categories and reputations help you quickly configure URL filtering. For example, you can use access control to block untrusted URLs in the Hacking category. Or, you can use QoS to rate limit traffic from sites in the Streaming Video category. There are also categories for types of threats, such as a Spyware and Adware category.
Using category and reputation data simplifies policy creation and administration. It grants you assurance that the system controls web traffic as expected. Because Cisco continually updates its threat intelligence with new URLs, as well as new categories and risks for existing URLs, the system uses up-to-date information to filter requested URLs. Sites that (for example) represent security threats, or that serve undesirable content, may appear and disappear faster than you can update and deploy new policies.
Some examples of how the system can adapt include:
-
If an access control rule blocks all gaming sites, as new domains get registered and classified as Games, the system can block those sites automatically. Similarly, if a QoS rule rate limits all streaming video sites, the system can automatically limit traffic to new Streaming Video sites.
-
If an access control rule blocks all malware sites and a shopping page gets infected with malware, the system can recategorize the URL from Shopping to Malware Sites and block that site.
-
If an access control rule blocks untrusted social networking sites and somebody posts a link on their profile page that contains links to malicious payloads, the system can change the reputation of that page from Favorable to Untrusted and block it.
Limitations of category-based filtering in SSL policy Do Not Decrypt rules
You can optionally choose to include categories in your SSL policies. These categories, also referred to as URL filtering, are updated by the Cisco Talos intelligence group. Updates are based on machine learning and human analysis according to content that is retrievable from the website destination and sometimes from its hosting and registration information. Categorization is not based on the declared company vertical, intent, or security.
![]() Note |
Don't confuse URL filtering with application detection, which relies on reading some of the packet from a website to determine more specifically what it is (for example, Facebook Message or Salesforce). For more information, see Best Practices for Configuring Application Control. |
For more information, see Use Categories in URL Filtering.
URL Category and Reputation Descriptions
Category Descriptions
A description of each URL category is available from https://www.talosintelligence.com/categories.
Be sure to click Threat Categories to see those categories.
Reputation Level Descriptions
Go to https://talosintelligence.com/reputation_center/support and look in the Common Questions section.
URL Filtering Data from the Cisco Cloud
Adding a URL Filtering license automatically enables the URL filtering feature. This allows traffic handling based on a website’s general classification, or category, and risk level, or reputation.
Adding a URL Filtering license automatically enables the URL filtering feature. This allows traffic handling based on a website’s general classification, or category, and risk level, or reputation.
When you enable (or re-enable) URL filtering, the management center queries Cisco for URL data and pushes the dataset to managed devices. Automatic updates of this dataset are enabled by default; we strongly recommend you do not disable these updates.
When users browse the web, the system uses the local dataset for category and reputation information. When users browse to an URL whose category and reputation is not in the local dataset or a cache of previously accessed websites, by default the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache. (You can disable this cloud lookup; see URL Filtering Options.)
The set of URL categories may change periodically. When you receive a change notification, review your URL filtering configurations to make sure traffic is handled as expected. For more information, see If the URL Category Set Changes, Take Action.