topic Re: No way to view sites that are set to "Allow"? in General Topics

No way to view sites that are set to "Allow"?

jambulo — Thu, 31 Mar 2011 15:35:17 GMT

Is there a way to view sites that are set to "Allow" or are in the "Allow list"? I can see the "Allow list" sites via the Application Command Center, but is there any way to view them in the "Monitor" tab or through reporting?

Re: No way to view sites that are set to "Allow"?

ExclusiveNetworksGermany — Thu, 31 Mar 2011 15:40:59 GMT

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

Re: No way to view sites that are set to "Allow"?

jambulo — Thu, 31 Mar 2011 16:39:15 GMT

TLK Support wrote:

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

I've actually tried this, but our SIEM(qradar) does not like it. It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses. Also, that method won't show me sites that I specify in the "allow list sites". I don't understand why we can view allowed sites in the ACC, but not anywhere else.

Re: No way to view sites that are set to "Allow"?

reaper — Fri, 01 Apr 2011 09:55:27 GMT

this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC

if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)

regards

Re: No way to view sites that are set to "Allow"?

hvcomputech — Fri, 10 Jan 2014 20:29:33 GMT

Reviving very old post but nowhere else can I find anything similar.

So how does this work?

The rule is that "When a user attempts to access a URL and the URL category needs to be determined, the firewall will compare the URL with the following components until a match has been found:

1. Block list of the matching URL profile

2. Allow list of the matching URL profile

3. Custom categories that have been defined

4. DP URL cache

5. MP URL cache

6. Cloud systems"

If Allow takes precedence over Custom categories, how can you see the allowed sites?

i.e. if I put *.facebook.com and facebook.com in the URL Filtering Allow list, and also add them to a custom URL category called "show_me_allowed", and set the custom Alert Category list to be "Alert", when i browse to Facebook and look at the URL log, I still cannot see it because Allow supersedes Custom.

Theoretically: How do we prove that a user who is allowed to access a site during work hours also accessed (or didn't) the site at other times if we can't see it? We do not use the PaloAlto schedules feature.

Thanks.

Re: No way to view sites that are set to "Allow"?

gwesson — Fri, 10 Jan 2014 20:47:42 GMT

You wouldn't want to put it in both an allow list and an alert custom category.

Instead, remove them from the allow list and make them only exist in the custom URL category for which you have set them to alert. That way when it goes through the #2 on your list, it won't see facebook.com, and will then got to #3 hitting the Alert action on that custom category.

Hope this helps,

Greg

Re: No way to view sites that are set to "Allow"?

hvcomputech — Mon, 13 Jan 2014 15:13:34 GMT

I'll try that, thanks!