03-31-2011 08:35 AM
Is there a way to view sites that are set to "Allow" or are in the "Allow list"? I can see the "Allow list" sites via the Application Command Center, but is there any way to view them in the "Monitor" tab or through reporting?
04-01-2011 02:55 AM
this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC
if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)
regards
03-31-2011 08:40 AM
If you are talking about the URL Filter
set them to "Alert" instead of "Allow"
Then they are logged under Monitor - URL Filtering
Regards
Marco
03-31-2011 09:39 AM
TLK Support wrote:
If you are talking about the URL Filter
set them to "Alert" instead of "Allow"
Then they are logged under Monitor - URL Filtering
Regards
Marco
I've actually tried this, but our SIEM(qradar) does not like it. It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses. Also, that method won't show me sites that I specify in the "allow list sites". I don't understand why we can view allowed sites in the ACC, but not anywhere else.
04-01-2011 02:55 AM
this happens because the "allow" action on URL categories does not create log entries, but the ACC collects both information from logging and the dataplane, so recently accessed allowed sites will have sessions generated and result in an entry in the ACC
if you want to be able to set sites you currently have in your allow list to "alert" you can create a custom category and add these sites to it, then you will be able to have these sites handled like other categories (allow, alert, block, continue, override)
regards
01-10-2014 12:29 PM
Reviving very old post but nowhere else can I find anything similar.
So how does this work?
The rule is that "When a user attempts to access a URL and the URL category needs to be determined, the firewall will compare the URL with the following components until a match has been found:
1. Block list of the matching URL profile
2. Allow list of the matching URL profile
3. Custom categories that have been defined
4. DP URL cache
5. MP URL cache
6. Cloud systems"
If Allow takes precedence over Custom categories, how can you see the allowed sites?
i.e. if I put *.facebook.com and facebook.com in the URL Filtering Allow list, and also add them to a custom URL category called "show_me_allowed", and set the custom Alert Category list to be "Alert", when i browse to Facebook and look at the URL log, I still cannot see it because Allow supersedes Custom.
Theoretically: How do we prove that a user who is allowed to access a site during work hours also accessed (or didn't) the site at other times if we can't see it? We do not use the PaloAlto schedules feature.
Thanks.
01-10-2014 12:47 PM
You wouldn't want to put it in both an allow list and an alert custom category.
Instead, remove them from the allow list and make them only exist in the custom URL category for which you have set them to alert. That way when it goes through the #2 on your list, it won't see facebook.com, and will then got to #3 hitting the Alert action on that custom category.
Hope this helps,
Greg
01-13-2014 07:13 AM
I'll try that, thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
