06-13-2017 03:02 AM
Hi all!
i'm new in this community and we have put in work 2 PA-3020.
I configured ELK for log forwarding.
i've search every log and i couldn't find a filed with the url theat a user is visiting. Is there a way to achieve that.
Example! Now i'm writing from this url:
Where can i find this exact string? Is it possible with PA?
06-15-2017 02:06 PM
Hello,
Yes this should be possible. First you will need the URL Filtering license, then a URL filtering policy, and apply the policy to the rule you use for web surfing traffic.
Here are a few videos that can help out:
Start URL filtering
https://live.paloaltonetworks.com/t5/Tutorials/How-to-Configure-URL-Filtering/ta-p/59300
Advanced URL filtering
https://live.paloaltonetworks.com/t5/Tutorials/Advanced-URL-Filtering/ta-p/58204
Hope this helps!
06-19-2017 01:10 AM - edited 06-19-2017 04:24 AM
Thanks for the videos!
I've already put in place the alert on all the categories and i have a License for URL Filtering but i don't get the result i want.
for some cotegories like unknow or computer-and-internet-info i get the detaglied url for others not.
I think i have to use decription but it's strage that i only need the recquested url like in the first 3 rows
Exaple
| 12/06/2017 10:45 | web-browsing | docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/ConfigBackup | computer-and-internet-info | alert | 1 | 00:01:24 |
| 12/06/2017 15:02 | apt-get | it.archive.ubuntu.com/ubuntu/dists/xenial-updates/main/binary-i386/by-hash/SHA256/ac45f575b478522ec5f0c32c34e86360c22b5df7c8ba38097d8172fd2faba5cb%20HTTP/1.1 | computer-and-internet-info | alert | 1 | 00:00:00 |
| 12/06/2017 15:02 | apt-get | security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-i386/by-hash/SHA256/22c360a96dfcc47eae9fc04003a646c1c0fb000b5262c63e940ea89523e0681c%20HTTP/1.1 | computer-and-internet-info | alert | 1 | 00:00:00 |
| 12/06/2017 12:04 | google-base | clients4.google.com/ | search-engines | alert | 1 | 00:01:00 |
| 12/06/2017 12:04 | ssl | vortex-win.data.microsoft.com/ | computer-and-internet-info | alert | 1 | 00:00:00 |
| 12/06/2017 12:21 | ssl | www.google.it/ | search-engines | alert | 1 | 00:01:00 |
| 12/06/2017 10:59 | facebook-base | www.facebook.com/ | social-networking | alert | 1 | 00:00:00 |
| 12/06/2017 10:59 | twitter-base | syndication.twitter.com/ | social-networking | alert | 1 | 00:00:00 |
| 12/06/2017 10:59 | ssl | settings-win.data.microsoft.com/ | computer-and-internet-info | alert | 1 | 00:00:00 |
| 12/06/2017 10:59 | ssl | vortex-win.data.microsoft.com/ | computer-and-internet-info | alert | 1 | 00:00:00 |
| 12/06/2017 10:59 | ssl | ssum-sec.casalemedia.com/ | web-advertisements | block-url | 1 | 00:00:00 |
| 12/06/2017 10:59 | ssl | ssum-sec.casalemedia.com/ | web-advertisements | block-url | 1 | 00:00:00 |
06-19-2017 08:05 AM
Looks like this might be a function of SSL Interception and not having it enabled, perhaps? It looks like you aren't getting details for things which are over HTTPS.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
