topic Re: URL logs missing for Traffic through alert only URL category / profile. in General Topics

URL logs missing for Traffic through alert only URL category / profile.

uduwawalan — Wed, 12 Jun 2024 13:06:26 GMT

Hi All,

Software Version

11.1.2-h3

We have a strange situation: Some URL filtering log entries for valid visits to web sites are missing. The traffic goes through a security rule which has a URL filtering profile with only alert and block categories. We have both Pan-db and Advanced URL filtering licenses.

We can see the traffic in the main traffic log but no corresponding entry in the URL filtering log.

Strangely though, if we create a custom URL category with the web site in question added and then set that to alert in the URL profile then the URL log appears. if you remove it from the custom url category and browse to the web site. URL filtering log doesn't show the relevant entry.

I have come across at least one other community entry on a similar case.

Any help would be welcome. Just waiting for TAC to get involved.

Thanks,

Re: URL logs missing for Traffic through alert only URL category / profile.

JayGolf — Wed, 12 Jun 2024 22:13:18 GMT

Hi @uduwawalan ,

I'm wondering if the websites that aren't populating in the URL filtering logs are properly categorized. If you check https://urlfiltering.paloaltonetworks.com/ and enter the websites that aren't populating. Do they come up with a category that you specified as "alert" within your URL filtering profile?

Re: URL logs missing for Traffic through alert only URL category / profile.

JayGolf — Wed, 12 Jun 2024 22:15:00 GMT

Please share any details you receive from TAC as they might be helpful for future users. Thanks!

Re: URL logs missing for Traffic through alert only URL category / profile.

uduwawalan — Thu, 13 Jun 2024 13:33:15 GMT

Thanks.

Yes they are being categorized as the websites are quite standard ones that we are testing. for example "Marksand spencer.com" or qad.com or oracle.com which are well known web sites and are categorized if you run the command test url "......." in the CLI of the box. It's quite strange.

I just put in a test policy targeting a test workstation with a URL profile that had all categories blocked. That just allowed the traffic through. I could see some entries in the traffic log that said "block-url" but they were not relevant to the web sites I was browsing to.

So I added the these websites to custom category.. They then appeared in the URL log and got blocked but no block message from the Palo box.Just a "site can't be reached" message.

TAC are apparently reviewing the Techsupport file and other info our support company provided.

The term Rome is burning while nero played violin comes to mind.

Not a very pleasant situation to find yourself in.

Re: URL logs missing for Traffic through alert only URL category / profile.

uduwawalan — Tue, 18 Jun 2024 12:59:28 GMT

In the end, no one from TAC contacted us. Our own support provider,observed in the config xml that in case of a few url entries in the url categories, there was a strange set of characters were appended. This set of characters as follows - "&#x200B. Apparently these characters are appended if you inadvertently leave a space at the end of url entry when you add them to url categories when creating customer categories.

So we save a config, exported it out, did a search and replace of all the instances. We then saved the config xml file.Imported the config file and committed the change.

So far all seems fine so far.

I am very disappointed with Palo TAC. this was a case where quick intervention was necessary and we have managed to fix the problem days after, by ourselves largely.

What is point of paying for support when it's not there when you need it?