https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583898#M2997 <P>correct</P> <P>the log is generated from the url decoder action, which is only triggered if you let the 'base' traffic (tcp connection) pass which is achieved by setting the security rule to allow</P> <P>Advantage of this approach is also that users will receive a nice block page in their browser versus a failed connection with no context</P> Tue, 16 Apr 2024 13:54:28 GMT reaper 2024-04-16T13:54:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583829#M2990 <P>Hi everyone,</P> <P>Please help me get through this.</P> <P>We have configured PA-450 firewall and everything is working fine as expected.<BR />But, We have used the option URL category in the security policy without an URL filtering profile for all user group. Which is working fine but I cant see any URL user activity report.<BR />But we need block URL summary report.</P> <P>Then I found out that we need block or alert action in order to get URL logs.</P> <P>Current Scenario<BR />=================<BR />(Its not the real configuration setup from the firewall, just a prototype)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Arun_R_0-1713249886072.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59090iFDCFB0B2CC2279CB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Arun_R_0-1713249886072.png" alt="Arun_R_0-1713249886072.png" /></span></P> <P>The above screenshot is the current scenario of the security policies which has URL category directly mapped in polices.<BR />There are no Block URL user activity report generated.</P> <P>&nbsp;</P> <P>Please observe the below workaround.</P> <P>Workaround<BR />============</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Arun_R_1-1713250275858.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59091i578F2F343F833E31/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Arun_R_1-1713250275858.png" alt="Arun_R_1-1713250275858.png" /></span></P> <P>Please observe the above screenshot.<BR />Above we have all the URL category mapped allow policies which generates no logs.<BR />What if I create a security policy with a URL profile which blocks all the category at the bottom.</P> <P>All the allowed traffic will hit on the above rules for all user groups and other traffics will hit on the bottom block rule and generates the Block URL user activity summary ... right ?</P> <P>Please correct me if I am wrong.</P> <P>NOTE: We don't want to use URL Filtering Profile. Instead we need the carry on with current scenario.</P> <P>Please help me with this doubt.</P> <P>&nbsp;</P> <P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 16 Apr 2024 06:51:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583829#M2990 Arun_R 2024-04-16T06:51:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583841#M2993 <P>you'll need to set that 'block all' rule to <STRONG>allow</STRONG> since a deny rule will not put packets into l7 for inspection, so you wont hit the url filtering block action, and get no logs</P> <P>&nbsp;</P> <P>Dare i ask why you're not using url filtering to allow url categories? <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 16 Apr 2024 07:38:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583841#M2993 reaper 2024-04-16T07:38:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583864#M2994 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for your reply,</P> <P>&nbsp;</P> <P>So if we configure the last Block Rule and set all the predefined URL category to "Block" and rule as "Allow"</P> <P>&nbsp;</P> <P>We will get the URL user activity summary right ?</P> Tue, 16 Apr 2024 08:58:36 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583864#M2994 Arun_R 2024-04-16T08:58:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583898#M2997 <P>correct</P> <P>the log is generated from the url decoder action, which is only triggered if you let the 'base' traffic (tcp connection) pass which is achieved by setting the security rule to allow</P> <P>Advantage of this approach is also that users will receive a nice block page in their browser versus a failed connection with no context</P> Tue, 16 Apr 2024 13:54:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/need-clarification-on-url-filtering-logs/m-p/583898#M2997 reaper 2024-04-16T13:54:28Z