No way to view sites that are set to "Allow"?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No way to view sites that are set to "Allow"?

L4 Transporter

Is there a way to view sites that are set to "Allow" or are in the "Allow list"? I can see the "Allow list" sites via the Application Command Center, but is there any way to view them in the "Monitor" tab or through reporting?

1 accepted solution

Accepted Solutions

this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC 

if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

TLK Support wrote:

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

I've actually tried this, but our SIEM(qradar) does not like it.  It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses.  Also, that method won't show me sites that I specify in the "allow list sites".  I don't understand why we can view allowed sites in the ACC, but not anywhere else.

this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC 

if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Reviving very old post but nowhere else can I find anything similar.

So how does this work?

The rule is that "When a user attempts to access a URL and the URL category needs to be determined, the firewall will compare the URL with the following components until a match has been found:

1. Block list of the matching URL profile

2. Allow list of the matching URL profile

3. Custom categories that have been defined

4. DP URL cache

5. MP URL cache

6. Cloud systems"

If Allow takes precedence over Custom categories, how can you see the allowed sites?

i.e. if I put *.facebook.com and facebook.com in the URL Filtering Allow list, and also add them to a custom URL category called "show_me_allowed", and set the custom Alert Category list to be "Alert", when i browse to Facebook and look at the URL log, I still cannot see it because Allow supersedes Custom.

Theoretically: How do we prove that a user who is allowed to access a site during work hours also accessed (or didn't) the site at other times if we can't see it? We do not use the PaloAlto schedules feature.

Thanks.

You wouldn't want to put it in both an allow list and an alert custom category.

Instead, remove them from the allow list and make them only exist in the custom URL category for which you have set them to alert. That way when it goes through the #2 on your list, it won't see facebook.com, and will then got to #3 hitting the Alert action on that custom category.

Hope this helps,

Greg

I'll try that, thanks!

  • 1 accepted solution
  • 3221 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!