- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-07-2022 05:31 AM - edited 03-07-2022 05:37 AM
Hello,
I have turned off alerts on NGFW for Private URL, but I still get threat ID #9999.
Can somebody a little bit more explain what this threat ID means? I am trying to clean it up, but still get these alerts.
And it is not any kind of malicious traffic.
It is usually connected with some internal web-pages.
I can provide more info, if needed.
Lukas
03-08-2022 01:24 AM
Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).
Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC
You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.
03-08-2022 01:24 AM
Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).
Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC
You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.
03-11-2022 02:25 AM - edited 03-11-2022 02:29 AM
The thing is that these URL are benign. See screenshot. It creates an alert for a benign link under threat ID 9999, but according to the documentation -
I cannot understand, why I have a alert for a benign link.
On NGFW all URL categories are set for an alert, but in case that URL, etc,.. is benign, there is no need to create an alert in XDR, right?
03-21-2022 03:00 AM
Hi @LukasB sorry I missed your earlier comments. Please @ whoever commented so that we get a notification as well. I hope you understand.
URL's do occasionally get recategorized for several reasons. If the URL is benign and you are confident of its category, you'll have to raise a URL recategorization request through the standard channels. Please refer to this link here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-category-change.html
Hope this helps. Also, please note that this is a Cortex XDR forum, you should consider posting in the Panorama forums for better traction.
05-31-2023 08:33 AM
I know this is the Cortex XDR forum, but did you ever find a solution for this on your PANOS device? We are seeing the same behavior after some recent upgrades and enabling cloud inline categorization. Palo support referred me to this thread, but the issue is not that the URL category is wrong or blocked - the issue is that PANOS is issuing a flood of “high” severity events with inline categorization verdict of “cloud”, category of “any”, and action as “alert” on what appear to be entirely benign sites whose URL filtering category is explicitly allowed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!