Threat ID #9999' generated by PAN NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threat ID #9999' generated by PAN NGFW

L1 Bithead

Hello,

 

I have turned off alerts on NGFW for Private URL, but I still get threat ID #9999. 

 

Can somebody a little bit more explain what this threat ID means? I am trying to clean it up, but still get these alerts.

And it is not any kind of malicious traffic.

It is usually connected with some internal web-pages.

 

I can provide more info, if needed.

Lukas

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).

 

Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).

 

Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.

L1 Bithead

The thing is that these URL are benign. See screenshot. It creates an alert for a benign link under threat ID 9999, but according to the documentation - 

  • 9999— URL filtering log

I cannot understand, why I have a alert for a benign link.

 

On NGFW all URL categories are set for an alert, but in case that URL, etc,.. is benign, there is no need to create an alert in XDR, right?

L1 Bithead

another example - alert for an URL of drug store, but benign. can be seen that the URL is opened from Outlook.

 

 

L5 Sessionator

Hi @LukasB sorry I missed your earlier comments. Please @ whoever commented so that we get a notification as well. I hope you understand. 

 

URL's do occasionally get recategorized for several reasons. If the URL is benign and you are confident of its category, you'll have to raise a URL recategorization request through the standard channels. Please refer to this link here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-category-change.html

Hope this helps.  Also, please note that this is a Cortex XDR forum, you should consider posting in the Panorama forums for better traction.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!