Log Container Page Only - impact?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Log Container Page Only - impact?

L1 Bithead

Hello,

 

Has anyone experienced a negative impact from having the "Log Container Page Only" feature checked/turned on?

 

I ask because of the warning, "If you enable the Log container page only option, there may not always be a correlated URL log entry for threats detected by antivirus or vulnerability protection." Do you have examples of instances when the correlated URL log entries made it difficult to fully log/chase down other vulnerabilities? 

 

For context, the company I work for has to comply with several government regulations (CMMC). If the "Log Container page only" option weakens our system security/validity, it may not be an option I can use. It would be great, however, to reduce the number of logs being produced because it would make observing user activity MUCH easier. Any advice is appreciated.

 

Thanks,

Angela

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @AMcCallister 

 

With "Log Container Page Only" unchecked, you can see exactly which sub-resource on a URL triggered alerts. For example, if a user visits a site like cnn.com, you might see a URL log flagged as high-risk or even a threat. You’d be able to pinpoint the specific resource and determine whether it was an ad, a tracking script, or embedded malicious JavaScript that caused the alert.

 

With "Log Container Page Only" checked, lets say you have an infected host in your environment and your asked for root cause so you start looking through logs. You see a bunch of alerts and threats to URLs, but you don't know what they clicked on or which sub-resource they interacted with on the page. Evidence of a website URL might suffice, but some orgs might need more additional detail into determining root cause. 


Whether to check or uncheck this setting really depends on the organization's needs and how deep you need to go into logs for your role. Reducing log volume is great for simplicity, but it can weaken your ability to chase down vulnerabilities or meet detailed compliance requirements. If your organization lacks additional security layers like a secure browser, proxy, or endpoint detection, you might consider leaving it unchecked to retain more visibility.

 

Hope this helps! 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

3 REPLIES 3

Community Team Member

Hi @AMcCallister 

 

With "Log Container Page Only" unchecked, you can see exactly which sub-resource on a URL triggered alerts. For example, if a user visits a site like cnn.com, you might see a URL log flagged as high-risk or even a threat. You’d be able to pinpoint the specific resource and determine whether it was an ad, a tracking script, or embedded malicious JavaScript that caused the alert.

 

With "Log Container Page Only" checked, lets say you have an infected host in your environment and your asked for root cause so you start looking through logs. You see a bunch of alerts and threats to URLs, but you don't know what they clicked on or which sub-resource they interacted with on the page. Evidence of a website URL might suffice, but some orgs might need more additional detail into determining root cause. 


Whether to check or uncheck this setting really depends on the organization's needs and how deep you need to go into logs for your role. Reducing log volume is great for simplicity, but it can weaken your ability to chase down vulnerabilities or meet detailed compliance requirements. If your organization lacks additional security layers like a secure browser, proxy, or endpoint detection, you might consider leaving it unchecked to retain more visibility.

 

Hope this helps! 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Thanks, Jay! I figured it was something along those lines. 

V/r,

Angela

L1 Bithead

Is it possible to create a separate URL Filtering Profile so that the main logs retain full information, but another group of logs is limited to the container pages? Our Palo Alto logs are fed into another software for simplified user monitoring. Sometimes the amount of data from Palo Alto makes it difficult or impossible to run reports for more than a week.

  • 1 accepted solution
  • 476 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!