topic Re: About vulnerability protection and url filter action in Advanced Threat Prevention Discussions

About vulnerability protection and url filter action

t-katsuki — Mon, 18 Jan 2021 09:25:01 GMT

I set medium to drop in the vulnerability protection profile, 
but when I check the log, Severity is medium, but action is alert. Why not drop? 
If you check the verbose log, the type is url and action is alert. Severity is informational. 
In this case, isn't url processing prioritized and not dropped?

Re: About vulnerability protection and url filter action

SutareMayur — Mon, 18 Jan 2021 09:40:38 GMT

Hi @t-katsuki ,

First where are you looking for the logs, i mean under Threat or URL filtering section? If you want to see vulnerability protection profile related logs, please check under threat logs tab. Also before checking logs under said tab, you need to have that profile to be mapped to the security policy which is allowing the traffic. Unless you have VP profile attached to the security policy, it wont come into picture while processing the traffic.

Re: About vulnerability protection and url filter action

reaper — Mon, 18 Jan 2021 09:51:48 GMT

there is a distinct diffeentce between vulnerability logs and url logs

an url log will always be severity informational, the action will depend on what the category action is set to, so might be alert (url allowed), block-ur, continue, ...

as you can see in the example below, there are 3 logs ssociated to a single session and all have a different severity and action

the traffic log in green is a simple allow rule, no severity. this is because the session was allowed intitially by the security policy

the url filtering log in red is informational and alert, because url logs are always informational, and the url category was allowed in the url filtering profile

the vulnerability profile in purple is critical and reset-both, because a vulnerability was found once the http connection started going and payload was transferred that contained something bad

Re: About vulnerability protection and url filter action

t-katsuki — Tue, 19 Jan 2021 01:21:28 GMT

ありがとうございます。

セキュリティポリシーにセキュリティプロファイルが適用されているかどうかの確認は最も必要な点だと思います。脅威ログから該当の通信がセキュリティポリシーにヒットし、そのセキュリティポリシーにmedium drop の脆弱性防御カスタムプロファイルが適用されていることを確認できました。

Re: About vulnerability protection and url filter action

t-katsuki — Tue, 19 Jan 2021 01:29:28 GMT

Thank you very much. For the logs you send, if you set the vulnerability defense profile to drop severity critical Will action be drop?