Logging of URL Categories in Security policy

cancel
Showing results for 
Search instead for 
Did you mean: 

Logging of URL Categories in Security policy

L3 Networker

All,

I have my normal URL Filtering rules setup as Policy and referenced in Profile of each rule. In those policies I have either alert or block set for each category or custom category. This works as expected, however I'm trying to setup some special access that I'm not liking the results from and need clarification, but I think I know what's going on..

I have a rule that gives a particular (AD) group of user access to either a category, or URL that would normally be denied in the regular URL policy. I'm the Application part of the rule I'm allowing ssl, web-browsing, the Service/URL Category I'm allowing the URL or category, then of course allowing it and logging it in my action.

When I go to a site as one of these permitted users I'm able to get to these sites, however I'm not seeing any logging information in either my traffic or my URL logs which is a problem..

So, I suspect that the action of the Service/URL is an Allow, not an Alert which is why I'm not seeing it in my logs..

Does that sound right?

If that's correct, is there a way to change that to an Alert? If not, WHAT THE HECK PA?!?! Why would I not want to see log hits???

Thanks!

-Steve

1 ACCEPTED SOLUTION

Accepted Solutions

Steveo,

     Here's how this would work: Create a new URL profile that has all categories set to 'Alert' and apply it to any firewall rules that reference a specific URL category as you're describing.  The URL category in the firewall rule match will supersede the URL profile, so you won't be allowing access to all sites, just the ones in the category allowed in your firewall rule.

     Here's why this works: The security rue you created allows traffic to your specified URLs and applications, however security rules by themselves do not generate URL logs (nor threat, data filtering, etc.).  In order to generate the URL log, you must have a URL Profile attached to the security rule.  Since the security rule only matches traffic destined for the URL category you specified in it, it is safe to set all categories to alert in the associated profile.

View solution in original post

9 REPLIES 9

L6 Presenter

Steve, you are right. The logging is not happening because you need to set alert rather than allow. In order to set the option to alert you have to do things little differently, you have to use URL filtering profiles rather than directly using the URL in the "service/url category" field of the security policy.

1) Go to Objects and create custom URL category and include the URLs that you want to allow.

2)Go to Objects -->security profiles and create a URL filtering profile and in the categories select the custom URL category that you have created in step 1 to alert.

3)Go to security policies and apply the URL profile you have created in step 2 to the policy.

Thanks,

Sandeep T

Sandeep,

Yeah, I thought of that, and I can't do it unfortunately..

The users in this special group are also member of different standard access groups (and URL profiles) which have different URL policies associated with them. So what I want to happen is that I place this rule above my standard policy rules, they hit this which grants them access to these special URLs, then they fall down to their particular access rule which depends on their group membership..

Does that make sense?

-Steve

I think that should work.

-Sandeep T

And it does, except the access isn't logged since the category (Or URL) is in the Service/URL area of the security policy which is an Allow, instead of an Alert..

Hense my question/problem..

I have no other way of allowing access to those special categories/sites unless I do it this way which means I don't get logging..

It sounds that you need to combine the above methods. You have to make the new url policy which does Alert the URL's and apply it to the rule that explicitly lists the URLs. Basically create the URL policy as described by Sandeep and apply it to the rule which allows your users to the specific URLs.

Hope this helps a bit?

What is your logging for these rules set to? On session start and/or on session end?

Is it possible for you to paste just the particular rules (either screenshot or by text - you can modify the actual srcip etc used before posting) in here?

Regarding url profiles, as already mentioned, you need it to be set to alert or deny (within the profile) to make it log. Allow wont log in the url logging facility (however the security rule will log in traffic log but you will miss the url part - only dstip (and dstport etc) will be there). So one could say that alert in terms of url profile actually means "allow+log".

Another thing to take into account is that you said you allowed ssl and web-browsing. Downside with this (if I remember correctly - the standard disclaimer 😉 is that once the traffic is recognised as some other app it wont be allowed if you only allowed ssl and web-browsing. Like if you visit youtube (since youtube has its own appid) and have only ssl and web-browsing allowed the visit will be blocked unless you allowed appid:youtube elsewhere (or is web-browsing a special case here?).

Im thinking as comparision with the facebook appid. When you visit www.facebook.com its identified as web-browsing and not until you actually login to facebook its being identified as appid:facebook-base.

L3 Networker

I'm not able to create another URL profile because in that profile I'd have to Allow/Deny all the other categories which would negate the access policies below them which is why I added this particular category (with the allowed URLs) via Service/URL category directly in the security policy.

This method works, but I just don't see any logging hits.. I've tried to use Start, End and both for logging, none of those work since the rule is an Allow, not an Alert..

I should be fine as far as access goes cause I'm allowing things lower in my ruleset, overhauling everything for Apps is a WAYYYYs down the road! Smiley Happy

Well, I guess my security guy will have to live with it.. ohh well! hehe..

Thanks!

-Steve

Steveo,

     Here's how this would work: Create a new URL profile that has all categories set to 'Alert' and apply it to any firewall rules that reference a specific URL category as you're describing.  The URL category in the firewall rule match will supersede the URL profile, so you won't be allowing access to all sites, just the ones in the category allowed in your firewall rule.

     Here's why this works: The security rue you created allows traffic to your specified URLs and applications, however security rules by themselves do not generate URL logs (nor threat, data filtering, etc.).  In order to generate the URL log, you must have a URL Profile attached to the security rule.  Since the security rule only matches traffic destined for the URL category you specified in it, it is safe to set all categories to alert in the associated profile.

View solution in original post

Ohhhh!

I gotcha!

Ok, I did that and it seems to work correctly!

You the man!

Thanks much!!

-Steve

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!