No way to view sites that are set to "Allow"?

L4 Transporter

No way to view sites that are set to "Allow"?

Is there a way to view sites that are set to "Allow" or are in the "Allow list"? I can see the "Allow list" sites via the Application Command Center, but is there any way to view them in the "Monitor" tab or through reporting?

Re: No way to view sites that are set to "Allow"?

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

L4 Transporter

Re: No way to view sites that are set to "Allow"?

TLK Support wrote:

If you are talking about the URL Filter

set them to "Alert" instead of "Allow"

Then they are logged under Monitor - URL Filtering

Regards

Marco

I've actually tried this, but our SIEM(qradar) does not like it.  It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses.  Also, that method won't show me sites that I specify in the "allow list sites".  I don't understand why we can view allowed sites in the ACC, but not anywhere else.

Community Manager

Re: No way to view sites that are set to "Allow"?

this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC 

if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)

regards


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: No way to view sites that are set to "Allow"?

Reviving very old post but nowhere else can I find anything similar.

So how does this work?

The rule is that "When a user attempts to access a URL and the URL category needs to be determined, the firewall will compare the URL with the following components until a match has been found:

1. Block list of the matching URL profile

2. Allow list of the matching URL profile

3. Custom categories that have been defined

4. DP URL cache

5. MP URL cache

6. Cloud systems"

If Allow takes precedence over Custom categories, how can you see the allowed sites?

i.e. if I put *.facebook.com and facebook.com in the URL Filtering Allow list, and also add them to a custom URL category called "show_me_allowed", and set the custom Alert Category list to be "Alert", when i browse to Facebook and look at the URL log, I still cannot see it because Allow supersedes Custom.

Theoretically: How do we prove that a user who is allowed to access a site during work hours also accessed (or didn't) the site at other times if we can't see it? We do not use the PaloAlto schedules feature.

Thanks.

L7 Applicator

Re: No way to view sites that are set to "Allow"?

You wouldn't want to put it in both an allow list and an alert custom category.

Instead, remove them from the allow list and make them only exist in the custom URL category for which you have set them to alert. That way when it goes through the #2 on your list, it won't see facebook.com, and will then got to #3 hitting the Alert action on that custom category.

Hope this helps,

Greg

L3 Networker

Re: No way to view sites that are set to "Allow"?

I'll try that, thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!