Afaik the User Activity Reports only show allowed traffic from the users. I am trying to find the URL from an IP, which I can see the user have been trying to visit, but got denied.
Is there anyway to do so?
The IP is a service from Amazon, and therefor it's not possible for me to make a simple nslookup.
Create a custom report (Monitor -> Manage Custom Reports), set the database to "Detailed Logs (Slower) URL"
In the query builder enter:
( addr.src in ip ) and ( addr.dst in ip ) and (( action neq alert ) or( action neq allow))
This will show you all URL traffic from source IP to destination IP that does not have the action of allow or alert (e.g block-continue or block-url).
Alternatively if you didn't want this in report form simply paste the above filter in the Monitor -> URL Filtering logs
Thank you for the quick response.
I have tried to create the custom report. Unfortunately it shows up empty. If I choose "Traffic Log" instead of "URL Log", there is the data I can also see in the traffic monitor.
Does this mean the firewall does not have the URL logged?
If you enable the column "Rule" for your Traffic Log report, this will show you the corresponding security policy rule that these sessions hit. If you go to said rules, can you confirm any URL filtering profile is attached to the rule? This is a requirement; on top of this, the URL filtering profile should not have the action of "Allow" for the URL category you would like logs for, since Allow action does not log traffic.
So I've checked the rule, and there is a URL filter where everything is set to "Alert". So this shoud be ok.
After some more research I've found out that all packages with Url Category "any" doesn't show up in the URL logs.
So I guess the problem lies here.
The settings in the URL Filtering doesn't have an option to include "any", so it seems like the firewall just ignores this type of packages?
If you have the URL Category set to "any" you are essentially stating you don't care and the firewall acts the same as if they were simply 'allowed' and therefore URL logs are not generated. For troubleshooting purposes I always keep an alert-all type rule so that I can log all the URLs visited if required for a particular user to troubleshoot any issues that they might report. This might be what you want to do here.
I'm not sure what you mean by the URL category being "set". Does this mean I can change URL category for a certain type of traffic, or is it managed by website?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!