Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=web-categories-add

Add a category

Sophos Firewall normally categorizes a URL into a single category. You can create additional categories so that a URL is categorized in the new category in addition to the default category. You can then use the category in various policies. Logs and reports show the category used in the policy decision, so the website may appear in different categories at different times.

Note

If you only match the domains without a path, consider using URL groups instead. URL groups have better performance and are less likely to generate false positives. See URL groups.

To add a web category, do as follows:

  1. Go to Web > Categories and click Add.
  2. Enter a name.
  3. Select a classification.
  4. Select a traffic shaping policy, or leave it as None.
  5. Select a configuration type, or leave it as Local.

  6. Specify domains and keywords.

    You can type a domain or keyword in the Search/Add text box and click Add Add button..

    You can optionally click Browse and select a file to fill in the list immediately.

    Domain

    The firewall checks the domains against the domain name in the URL. They automatically include subdomains. Entries must be domain names, however, they can include paths and query strings.

    Examples

    google.com

    google.com/maps

    google.com/search?q=cat

    youtube.com/watch?v=xxxxxx

    Keyword

    The firewall checks the keywords against the entire URL, including domain, path, and query.

    Examples

    google

    watch?v=xxxxxxxxxxx

    Warning

    Keyword checks are less efficient because URLs can be very long. Since keywords can match against query parameters, users can deliberately force matches, causing false positives. We recommended that categories using keywords are only in policy rules that block rather than allow.

    For example, an administrator wants to allow www.google.com and blocks www.facebook.com categorized as Social Networking. The administrator creates a category named Allowed_Sites_for_Sales using the keyword google and allows this category in a policy.

    The following happens:

    • A user goes to www.google.com, the firewall categorizes the URL as Allowed_Sites_for_Sales and allows it.
    • A user goes to www.facebook.com, the firewall categorizes the URL as Social Networking and blocks it.
    • A user goes to www.facebook.com?letmeinanyway=google, the firewall categorizes the URL as Allowed_Sites_for_Sales and allows it.

    The example shows that users can bypass categories using keywords that are used in a policy that's set to allow.

  7. Specify the advanced settings.

    Setting Description
    Override default notification page

    Show the message specified to the user when a website is blocked due to the category instead of the default message.

    You can use the following HTML codes to customize your message:

    {category}: Shows the blocked URL's category.

    {user}: Shows the username.

    {url}: Shows the blocked URL.

  8. Click Save.

Using an external URL database

If you specify an External URL database, the firewall checks for updates to the list every 48 hours. You can't change the interval.

To use external URL databases, type a URL in the Search/Add text box and click Add Add button..

Only HTTP and FTP are supported, and authentication isn't supported.

Note

If you're using an external source of websites to block, such as a public domain block list, consider using Third-party threat feeds instead. See Third-party threat feeds.

File formats

The following are the file format requirements:

  • For Local uploads, only text and comma-separated value (CSV) files are supported.
  • The text file format is one entry per line and has a file extension of .txt.
  • The CSV file format must have all entries on one line, separated by commas, and has a file extension of .csv.
  • External URL database supports text, CSV, and the archive file formats .tar, .gz, and .bz2. Archive files must contain text files.

  • Invalid entries are ignored or discarded regardless of the entry method used, such as the following:

    • Entries with a protocol. For example, http://.
    • Entries that contain invalid characters.
    • Domain entries that don't match the URL specification.
    • Empty lines.

  • The local database supports up to 2000 domain and keyword entries. If you upload a file containing more than 2000 entries, only the first 2000 entries are imported.

  • The maximum number of entries in an external database is unlimited. However, the number of cached entries for URL categorization varies depending on the firewall appliance's RAM. Most appliances with more than 4 GB of RAM can cache up to 122,880 entries. You can find the exact number for your appliance in the /log/nSXLd.log file.