For details on cookie usage on our site, read our Privacy Policy
Custom URL Category in security rule - traffic log shows allowed with "any" in URL Category field
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Custom URL Category in security rule - traffic log shows allowed with "any" in URL Category field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Custom URL Category in security rule - traffic log shows allowed with "any" in URL Category field
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-16-2017 08:21 AM
I've read the articles about the processes that take place when analyzing traffic and understand that sometimes there could be an allow status when it seems there shouldn't be. However it also seems that if the traffic truly shouldn't be allowed there would be an associated log entry with some kind of denial.
In my case there is no associated denial and I'm would still like to know why this traffic seems to be allowed when apparently not matching my Custom URL Category.
Forgive me if I'm still just misunderstanding something about this.
Thanks.
Here's what I'm seeing in my logs:
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-16-2017 11:25 PM
It is possible to configure the url profile without a license and apply it to a policy ... but did yoz really get url logs?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-18-2017 10:54 AM
Sorry for the delay in responding but I've been tied up with other things.
Also I will not be able to work on this for the next week.
When I can get back to this I will look at some of the things you've mentioned.
However in regard to your comment:
"What is likely happening is that the firewall allows the TCP/80 traffic, even identifies it as web-browsing, and then it attempts to match that traffic with your permit rules. If it matches, great. If not, it stops. The trick question is, how should the firewall log the traffic? Should it log the traffic as being denied (when some portion went through?)"
I would think that if the firewall is going to log this traffic as allowed because it got part way through the process, it should also have a denied entry when it determines that something about the rule (in my case the URL Category) prevents it. It seems like this isn't happening and maybe that's just the way it works, however I find this confusing.
Thanks very much for your insight.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-11-2017 10:33 AM
So @vsys_remo and @jvalentine, in betwen my other priorities I have been researching this issue with my limited knowledge and understanding.
I have discovered that in 60% of the cases the destination IP Address allowed that shows "any" for URL Category in the logs has been also been allowed sometimes with the correct URL Category showing. I'm not sure why this is and am at a loss to explain the remaining 40% that never show the correct URL Category.
At this point I am willing to accept this behavior but will continue to monitor.
Thanks for your time on this.
- Log Forwarding - multiple instances of same catgory? in General Topics
- EDL and Custom URL in Next-Generation Firewall Discussions
- Double NAT return packet dropping in firewall in General Topics
- Session end reason=resources-unavailable, version 8.1.15.h3 in General Topics
- Questions) Missing Panorama Log in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
