Threat ID #9999' generated by PAN NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Threat ID #9999' generated by PAN NGFW

L2 Linker

Hello,

 

I have turned off alerts on NGFW for Private URL, but I still get threat ID #9999. 

 

Can somebody a little bit more explain what this threat ID means? I am trying to clean it up, but still get these alerts.

And it is not any kind of malicious traffic.

It is usually connected with some internal web-pages.

 

I can provide more info, if needed.

Lukas

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).

 

Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).

 

Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.

L2 Linker

The thing is that these URL are benign. See screenshot. It creates an alert for a benign link under threat ID 9999, but according to the documentation - 

  • 9999— URL filtering log

I cannot understand, why I have a alert for a benign link.

 

On NGFW all URL categories are set for an alert, but in case that URL, etc,.. is benign, there is no need to create an alert in XDR, right?

L2 Linker

another example - alert for an URL of drug store, but benign. can be seen that the URL is opened from Outlook.

 

 

L5 Sessionator

Hi @LukasB sorry I missed your earlier comments. Please @ whoever commented so that we get a notification as well. I hope you understand. 

 

URL's do occasionally get recategorized for several reasons. If the URL is benign and you are confident of its category, you'll have to raise a URL recategorization request through the standard channels. Please refer to this link here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-category-change.html

Hope this helps.  Also, please note that this is a Cortex XDR forum, you should consider posting in the Panorama forums for better traction.

L1 Bithead

I know this is the Cortex XDR forum, but did you ever find a solution for this on your PANOS device? We are seeing the same behavior after some recent upgrades and enabling cloud inline categorization. Palo support referred me to this thread, but the issue is not that the URL category is wrong or blocked - the issue is that PANOS is issuing a flood of “high” severity events with inline categorization verdict of “cloud”, category of “any”, and action as “alert” on what appear to be entirely benign sites whose URL filtering category is explicitly allowed.

  • 1 accepted solution
  • 7973 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!