Risk-based URL filtering allows admins to inspect host URLs (i.e., to determine threats associated with URLs and block or allow access accordingly). Admins enable Risk-based URL Filtering on an Internet Threat Protection (ITP) policy in the CSE Command Center.
URL exceptions and explicit URL blocks are no longer configured inside Risk-based URL Filtering. They are configured in the consolidated Domain & URL Bypass and Domain & URL Blocking fields on the ITP policy itself. See Manage Internet Threat Protection (ITP) Policies for the current flow. Existing URL Allowlist and Explicit URL Blocking entries were migrated automatically when the consolidated fields shipped.
1.1 Navigate from Internet Access > Internet Threat Protection, and select an existing ITP policy.
1.2 Under the Filtering and Exceptions tab, navigate to URL Filtering.
2.1 Toggle on Risk-based URL Filtering.
Only those URLs which are not already explicitly blocked by Category, Domain, and Application Filtering or enabled Threat Protections will be inspected.
URL bypasses and URL blocks are configured on the parent ITP policy in the consolidated Domain & URL Bypass and Domain & URL Blocking fields, not inside Risk-based URL Filtering. SSL decryption must be on for URL entries to be enforced.
Bypasses are processed before any block rule, including Risk-based URL Filtering. See How ITP rules are processed for the full evaluation order.