topic Re: Bottom most Explicit deny all policy not capturing URLs for Url filtering logs. in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229624#M5918 <P>Just apply URL filtering profile to your outgoing rule where categories you want to permit are set to "alert" and those you don't want to permit are set to "block".</P> <P>Then you see blocked URL categories matching your general outgoing rule.</P> Wed, 21 May 2025 13:09:26 GMT Raido_Rattameister 2025-05-21T13:09:26Z Bottom most Explicit deny all policy not capturing URLs for Url filtering logs. https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229613#M5915 <P>So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing normal network traffic but not any log under Monitor &gt; URL filtering. <BR /><BR />Yes we do have URL filtering license, just so you now its working for a test rule where its allowed for any to any and we applied url filtering profile.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JubairJunaid_1-1747822277018.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67698i3A47222B70BDCDD6/image-size/medium?v=v2&amp;px=400" role="button" title="JubairJunaid_1-1747822277018.png" alt="JubairJunaid_1-1747822277018.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JubairJunaid_0-1747822063272.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67696iA2947E6665C66BD7/image-size/medium?v=v2&amp;px=400" role="button" title="JubairJunaid_0-1747822063272.png" alt="JubairJunaid_0-1747822063272.png" /></span></P> <P>&nbsp;</P> <P>Please advice how i can see the denied URL logs. Thanks</P> <P>&nbsp;</P> Wed, 21 May 2025 10:13:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229613#M5915 JubairJunaid 2025-05-21T10:13:14Z Re: Bottom most Explicit deny all policy not capturing URLs for Url filtering logs. https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229623#M5917 <P>As Palo is dropping packets matching drop/deny rule it can't perform deep packet inspection for this traffic so you can as well not apply security profiles to this policy - they won't be used anyway.</P> Wed, 21 May 2025 13:05:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229623#M5917 Raido_Rattameister 2025-05-21T13:05:30Z Re: Bottom most Explicit deny all policy not capturing URLs for Url filtering logs. https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229624#M5918 <P>Just apply URL filtering profile to your outgoing rule where categories you want to permit are set to "alert" and those you don't want to permit are set to "block".</P> <P>Then you see blocked URL categories matching your general outgoing rule.</P> Wed, 21 May 2025 13:09:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229624#M5918 Raido_Rattameister 2025-05-21T13:09:26Z Re: Bottom most Explicit deny all policy not capturing URLs for Url filtering logs. https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229752#M5922 <P>It's important to consider a web browsing session is handled by 2 different 'layers' in the palo alto firewall</P> <P>first, your security rule will allow or deny a session to flow based on the 6-tuple (source/destination zone, IP, port, protocol). The security rule only looks at basic IP information</P> <P>Then, a rule can be instructed to also perform layer7 (deep packet) inspection. This causes the firewall to inspect the traffic at a different level and look at, for example, which URL is being requested inside the flow</P> <P>The URL filtering profile will then determine if a connection is allowed (allow or alert action) or denied (block action) for that specific URL</P> <P>&nbsp;</P> <P>this results in any web browsing session to have 2 verdicts: allow for the 'traffic' (layer3/4) and alert/block for the content (layer7)</P> <P>&nbsp;</P> <P>To build a good web browsing policy, you should make a rule that allows traffic from trust to untrust, and has a url filtering profile that is configured to allow and block certain URL categories</P> <P>In your traffic log this rule will always be 'allow', in your url filtering log this rule will sometimes be 'alert' and sometimes 'block'</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>by default any security rule that is set to deny or drop, will discard a session at a very early stage (oftentimes already discarding the SYN packet) so there is no layer7 inspection performed on these sessions</P> Thu, 22 May 2025 07:57:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/bottom-most-explicit-deny-all-policy-not-capturing-urls-for-url/m-p/1229752#M5922 reaper 2025-05-22T07:57:50Z