PaloAltoNetworks · adambaumeister · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
diff --git a/docs/user_guide/define_url_category.png b/docs/user_guide/define_url_category.png
diff --git a/docs/user_guide/define_url_security_rule.png b/docs/user_guide/define_url_security_rule.png
diff --git a/docs/user_guide/preset_policy.md b/docs/user_guide/preset_policy.md
@@ -99,11 +99,15 @@ directory, but you can put it whever makes sense for your environment.
   ansible.builtin.set_fact:
     policy_match: true # Set the fact that we did match a policy
     source_address_group: PRESET_JUMPHOST_INBOUND_SOURCE # In this case, the policy preset is an address_group type
+    destination_address_group: PRESET_JUMPHOST_INBOUND_DESTINATION # In this case, the policy preset is an address_group type
     application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy.
     device_group: Lab # Finally, we set the device group!
   when:
+    - source_ip is defined
+    - destination_ip is defined
     - "'10.10.11.0/24' | ansible.utils.network_in_network( destination_ip )"
     - "not '10.0.0.0/8' | ansible.utils.network_in_network( source_ip )"
+
 ```
 
 ### Including the policy

diff --git a/docs/user_guide/preset_policy_urls.md b/docs/user_guide/preset_policy_urls.md
@@ -0,0 +1,68 @@
+# Preset Policy - URL lists
+
+Preset policy can also be based on URL lists based instead of IP. This is very useful when dealing with outbound user
+access to internet websites.
+
+## Building a Sanctioned URL List-based policy
+
+For URL category based policy, most of the time a "sanctioned" policy is simply based on the requesting user.
+
+So your policy may look like this:
+
+source user group | destination website 
+--- |---------------------|
+Human Resources | www.facebook.com 
+
+!!! note
+    This automation does not resolve users to user-groups. That's up to you.
+
+## Creating the URL List
+
+Create the URL Category as a URL list in Panorama.
+
+![img.png](define_url_category.png)
+
+## Defining the preset security rule
+
+Now, create a new security rule that references the created URL category.
+
+It's up to you how much you "lock down" this policy. You could use specific applications, IPs, ports...whatever makes
+sense for your environment. 
+
+![img.png](define_url_security_rule.png)
+
+## Create a Policy Tasks File
+
+(for more information on this, see [creating a policy tasks file](preset_policy.md#create-a-policy-tasks-file))
+
+```yaml title="user_outbound_policy.yml"
+---
+- name: Match Users Internet Policy
+  ansible.builtin.set_fact:
+    policy_match: true # Set the fact that we did match a policy
+    destination_url_category: PRESET_USER_OUTBOUND_URLS # In this case, the policy preset is a URL Category type
+    device_group: Lab # Finally, we set the device group!
+  when:
+    - "source_user_group == 'Human Resources'"
+    - url is defined
+```
+
+## Including the policy
+
+(for more information on this, see [including your sanctioned policy](preset_policy.md#including-the-policy))
+
+```yaml title="add_policy.yml"
+# Outbound User access to websites
+- name: Test against outbound user access
+  ansible.builtin.include_tasks:
+    file: preset/user_outbound_policy.yml
+```
+
+## Running the playbook
+
+Note that nothing changes from the point of execution. You still run the same playbook, and as long as you're including
+`add_policy.yml`, any policies that define a destination_url_category will correctly update the category.
+
+```shell
+ansible-playbook playbooks/orchestrator/lab_policy.yml
+```
diff --git a/example_vars_file_add_url_to_preset.yml b/example_vars_file_add_url_to_preset.yml
@@ -0,0 +1,2 @@
+source_user: johnwick
+url: 'www.facebook.com'
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -43,6 +43,7 @@ nav:
   - User Guide:
       - Introduction: user_guide/introduction.md
       - Preset Policy: user_guide/preset_policy.md
+      - Preset URL Lists: user_guide/preset_policy_urls.md
       - New Policy Creation: user_guide/new_policy_creation.md
       - Testing Security Policies: user_guide/policy_lookup.md
   - Reference:

diff --git a/playbooks/orchestrator/add_policy.yml b/playbooks/orchestrator/add_policy.yml
@@ -22,6 +22,11 @@
   ansible.builtin.include_tasks:
     file: preset/ssh_jumpserver_inbound_access.yml
 
+# Outbound User access to websites
+- name: Test against outbound user access
+  ansible.builtin.include_tasks:
+    file: preset/user_outbound_policy.yml
+
 # --- END PRESET POLICY SECTION ---
 
 - name: Policy Creation Block
@@ -51,6 +56,12 @@
         - application_group is defined
         - application is defined
 
+    - name: URL CATEGORY  PRESET - Deploy the URL to the given category based on the preset configuration
+      ansible.builtin.include_tasks:
+        file: preset/add_url_to_preset_category.yml
+      when:
+        - destination_url_category is defined
+
     - name: Update that the config has changed
       ansible.builtin.set_fact:
         config_changed: true
@@ -60,6 +71,7 @@
 # --- Custom Section ---
 # This section of tasks will attempt to create new security policies by caluclating as many values as possible
 # Rules that are created here will always be grouped by TAG.
+# For this to run it requires at least source ip, destination IP and an application to be given.
 
 - name: RULE CREATION BLOCK - Triggers when no preset rules match
   block:
@@ -77,6 +89,9 @@
 
   when:
     - not policy_match
+    - source_ip
+    - destination_ip
+    - application
 
 
 - name: Commit Block - Triggers on any change
@@ -99,11 +114,16 @@
           - "{{ provider.username }}"
   when: config_changed
 
-- name: Test the new policy, if one was added
-  ansible.builtin.include_tasks:
-    file: new/lookup_policy.yml
-  when: config_changed
+- name: Test the changes, if there were changes
+  block:
+    - name: Test the new policy, if one was added
+      ansible.builtin.include_tasks:
+        file: new/lookup_policy.yml
 
-- name: Print the results
-  ansible.builtin.debug:
-    msg: '{{ matches_existing_policy }}'
+    - name: Print the results
+      ansible.builtin.debug:
+        msg: '{{ matches_existing_policy }}'
+  when:
+    - config_changed
+    - source_ip is defined
+    - destination_ip is defined
diff --git a/playbooks/orchestrator/lab_policy.yml b/playbooks/orchestrator/lab_policy.yml
@@ -11,19 +11,6 @@
       password: "{{ lookup('env', 'PAN_PASSWORD') }}"
     policy_match: false
 
-  vars_prompt:
-    - name: source_ip
-      prompt: SIP for policy. Must be an IP address, does not support FQDN.
-      private: false
-
-    - name: destination_ip
-      prompt: DIP for policy. Must be an IP address, does not support FQDN.
-      private: false
-
-    - name: application
-      prompt: Application for policy. Must be a valid PAN-OS application.
-      private: false
-
   tasks:
     - name: Test against Webserver outbound policy
       ansible.builtin.include_tasks:

diff --git a/playbooks/orchestrator/preset/add_url_to_preset_category.yml b/playbooks/orchestrator/preset/add_url_to_preset_category.yml
@@ -0,0 +1,21 @@
+---
+# Tasks file which adds one (or more) URLs to the given URL category.
+
+- name: Get existing URL CATEGORY objects
+  paloaltonetworks.panos.panos_custom_url_category:
+    provider: "{{ provider }}"
+    device_group: "{{ device_group }}"
+    name: "{{ destination_url_category }}"
+    state: gathered
+  register: existing_group
+
+- name: Add URL to preset URL LIST
+  paloaltonetworks.panos.panos_custom_url_category:
+    provider: "{{ provider }}"
+    device_group: "{{ device_group }}"
+    name: "{{ destination_url_category }}"
+    url_value: "{{ [url] + existing_group.gathered.url_value }}"
+    state: present
+  register: group_addition
+  when:
+    - existing_group.gathered.type == 'URL List'
diff --git a/playbooks/orchestrator/preset/ssh_jumpserver_inbound_access.yml b/playbooks/orchestrator/preset/ssh_jumpserver_inbound_access.yml
@@ -9,5 +9,7 @@
     application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy.
     device_group: Lab # Finally, we set the device group!
   when:
+    - source_ip is defined
+    - destination_ip is defined
     - "'10.10.11.0/24' | ansible.utils.network_in_network( destination_ip )"
     - "not '10.0.0.0/8' | ansible.utils.network_in_network( source_ip )"
diff --git a/playbooks/orchestrator/preset/user_outbound_policy.yml b/playbooks/orchestrator/preset/user_outbound_policy.yml
@@ -0,0 +1,13 @@
+---
+# This is the Webservers outbound policy. The purpose of these tasks is to take incoming requests and see if they
+# match this policy, returning the preset address group that they can be added to when a policy change is required.
+# Webservers should be allowed to talk to any host on the internet, so we can disregard the destination IP!
+
+- name: Match Users Internet Policy
+  ansible.builtin.set_fact:
+    policy_match: true # Set the fact that we did match a policy
+    destination_url_category: PRESET_USER_OUTBOUND_URLS # In this case, the policy preset is an address_group type
+    device_group: Lab # Finally, we set the device group!
+  when:
+    - "source_ip is defined or source_user is defined"
+    - url is defined
diff --git a/playbooks/orchestrator/preset/webservers_outbound_policy.yml b/playbooks/orchestrator/preset/webservers_outbound_policy.yml
@@ -10,5 +10,7 @@
     application_group: PRESET_LAB_WEB_OUTBOUND # If an application is passed, we should also include it in the policy.
     device_group: Lab # Finally, we set the device group!
   when:
+    - source_ip is defined
+    - destination_ip is defined
     - "'10.10.10.0/24' | ansible.utils.network_in_network( source_ip )"
     - "not '10.0.0.0/8' | ansible.utils.network_in_network( destination_ip )"