Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Facebook not showing in logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Facebook not showing in logs

L2 Linker

What would cause facebook not to be shown in any of the logs on the PA?

7 REPLIES 7

Cyber Elite
Cyber Elite

@janelle.provine,

Is it possible that you aren't logging the rule associated with the traffic? facebook-base is pretty easily identified on the firewall even if the traffic isn't being decrypted, so if you aren't seeing anything I'd assume that it either isn't being logged or nobody is actually visiting the site. 

@BPry what would keep the rule from logging the facebook traffic while on the VPN? How can I check? and yes I can see other people using it just not when they are on the VPN

Cyber Elite
Cyber Elite

@janelle.provine,

The matching rule would need to be configured to not log the traffic. You'd have to look at the rule that would allow Facebook traffic and ensure that it's setup to log properly. You can test the traffic against your rulebase using the 'Test Security Policy Match' feature in the GUI from your Security policies page, or use the 'test security-policy-match' command via the CLI.

There should be no reason outside of the matching policy being set to not log that specifically Facebook wouldn't show up in your traffic logs. 

@BPry 

Yes logging is turned on for all the security rules, and it is logging for those on the internal network but not for those on the VPN

Cyber Elite
Cyber Elite

@janelle.provine,

If the security policy is setup to log and it's not logging Facebook, and it's only happening on VPN traffic, are you potentially sending the traffic out locally? I'd review that you don't have anything configured in GlobalProtect's agent config to only send internal routes through GlobalProtect or have otherwise excluded the Facebook domains as an excluded domain. 

I have split tunneling turned off so all of the users traffic routes through the internal network including his internet access. 

I figured out that the issue is caused by the fact that we are using duo mfa and the user in duo mfa is different from what is in the AD user group applied to the rule so that is why any user works and I was looking for the wrong user in the log so that is why I did not see it. I added a alias in duo that matches the AD usersname but it still didn't work, Any idea 

  • 2224 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!