topic Re: URL Filtering log with action allow in General Topics

URL Filtering log with action allow

aleksandar.astardzhiev — Mon, 23 Jan 2023 10:14:05 GMT

Hi Folks,

It seems my whole life is a lie... Apparently PAN FW will generate URL log for category with action set to allow.

Yep, and the funnier thing is that you don't even need URL filtering profile applied on the rule. Someone may say I am crazy or I don't understand how PAN FWs work, probably both is true...But how would you explain the following:

Quick background we have IPsec VPN between two PAN fw and we manage both. We have decided to create "trust-all" rule on one end the tunnel and have specific rule only on one of the FWs. For that reason on the far end of the tunnel the rule is "allow any, without any security profile". Today something got my attention - you guess it - the rule without security profile was generating URL allow logs

Here is how the logs from both firewall looks like

And here is the rule without any security profile, that is generating URL log with action allow

It seems the cause of this phenomena is the Log Forwarding profile.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/url-filtering-logs

I was not able to find any other reference to this behavior, but I hope someone prove me wrong and provide any other documentation mentioning this behavior of Log Forwarding.

Please tell me I am not the only one who was not aware of this, I am flipping tables around here...

I am now more curious how this works, if no URL filtering profile is applied why FW is inspecting the SNI. For me this sounds like FW is still performing some kind of inspection (event without any security profile, nor decryption rule also), but will do it silently without generating any log. Until you apply log forwarding for all logs...

Re: URL Filtering log with action allow

reaper — Wed, 25 Jan 2023 08:58:11 GMT

Is that rule positioned at the very top of your rulebase? if not, can you try putting it there to see if it still logs URLs?

do you have decryption set up (even no-decrypt) that could be matched?

Re: URL Filtering log with action allow

kat3xx — Wed, 25 Jan 2023 12:23:17 GMT

Perhaps this is a byproduct of a log forwarding profile with a broad filter?

Re: URL Filtering log with action allow

aleksandar.astardzhiev — Fri, 27 Jan 2023 13:45:12 GMT

Hey @reaper ,

- The firewall that is generating the URL allow rule, doesn't have any decryption rule at the moment.

- Matching rule is actually around the bottom, but moving it higher, shouldn't make difference, because the matching source and destination objects are matching only that rule.

Hey @kat3xx ,

Indeed the log forwarding is set to forward any log

But this still doesn't explain why rule with no security profile will generate URL log?