05-03-2023 12:44 PM
What would cause facebook not to be shown in any of the logs on the PA?
05-03-2023 02:34 PM
Is it possible that you aren't logging the rule associated with the traffic? facebook-base is pretty easily identified on the firewall even if the traffic isn't being decrypted, so if you aren't seeing anything I'd assume that it either isn't being logged or nobody is actually visiting the site.
05-03-2023 02:37 PM - edited 05-03-2023 02:45 PM
@BPry what would keep the rule from logging the facebook traffic while on the VPN? How can I check? and yes I can see other people using it just not when they are on the VPN
05-03-2023 03:01 PM
The matching rule would need to be configured to not log the traffic. You'd have to look at the rule that would allow Facebook traffic and ensure that it's setup to log properly. You can test the traffic against your rulebase using the 'Test Security Policy Match' feature in the GUI from your Security policies page, or use the 'test security-policy-match' command via the CLI.
There should be no reason outside of the matching policy being set to not log that specifically Facebook wouldn't show up in your traffic logs.
05-04-2023 06:47 AM
Yes logging is turned on for all the security rules, and it is logging for those on the internal network but not for those on the VPN
05-04-2023 01:42 PM
If the security policy is setup to log and it's not logging Facebook, and it's only happening on VPN traffic, are you potentially sending the traffic out locally? I'd review that you don't have anything configured in GlobalProtect's agent config to only send internal routes through GlobalProtect or have otherwise excluded the Facebook domains as an excluded domain.
05-04-2023 01:48 PM
I have split tunneling turned off so all of the users traffic routes through the internal network including his internet access.
05-05-2023 08:30 AM
I figured out that the issue is caused by the fact that we are using duo mfa and the user in duo mfa is different from what is in the AD user group applied to the rule so that is why any user works and I was looking for the wrong user in the log so that is why I did not see it. I added a alias in duo that matches the AD usersname but it still didn't work, Any idea
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
