Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Related Logs in Traffic Log - no URL-Filtering?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Related Logs in Traffic Log - no URL-Filtering?

L3 Networker

Hi,

isn't the "Related Logs" field in the details of a traffic log entry supposed to list logs from other logging categories like URL-Filtering or Data-Filtering as well? I only seem to get other traffic logs in the related log field.

Example:

* outgoing web-browsing is allowed, logging is turned on

* URL-filtering is in place, logging is turned on (action: alert)

* User browses to www.wired.com, category "News" (I just made that up).

Result:

* I see the request in the URL-Filtering logs

* I see the request in traffic logs

BUT:

* I open the corresponding traffic log entry to see the details and look at the "related logs" field. Nothing from the URL-Filter shows up here. Even though it was logged.

It does work the other way around (looking at URL-Filter log entry details, related logs shows corresponding traffic log entries).

Is this a but? PanOS 5.02.

6 REPLIES 6

L6 Presenter

Does it not show up as a 'threat' log?

Here's the URL log for session id 55307

General
Session ID   55307
Threat/Content Type   url
Action   alert
Application   web-browsing
Rule   test group
Category   computer-and-internet-info
Virtual System   vsys1
Device   001606002115
Threat/Content Name  
ID  
Severity   informational
IP Protocol   tcp
Log Action  
Repeat Count   1
URL   www.speedtest.net/
Request Categorization Change
Source
Source User   amb\renato
Source address   172.16.20.2
Source Port   54739
Source Zone   L3_Trust
Inbound Interface   ethernet1/2
NAT Source IP   10.16.3.241
NAT Source Port   26212
Destination
Destination User  
Destination address   72.21.92.20
Destination Port   80
Destination Zone   L3_Untrust
Outbound Interface   ethernet1/1
NAT Destination IP   72.21.92.20
NAT Destination Port   80
Time
Generate Time   2013/05/28 11:57:51
Receive Time   2013/05/28 11:57:52
Misc
Captive Portal  
Proxy Transaction  
Decrypted  
Packet Capture  
Direction   client-to-server
Related Logs (+/- 24 Hours)
Receive TimeLogTypeApplicationActionRuleBytesPacketsSeverityCategoryURL / Filename
05/28 11:57:52threaturlweb-browsingalerttest group informationalcomputer-and-internet-infowww.speedtest.net/
05/28 11:58:39trafficendweb-browsingallowtest group10,27120

Here's the traffic log for the same session ID

Session ID   55307
Type   end
Action   allow
Application   web-browsing
Rule   test group
Category   computer-and-internet-info
Virtual System   vsys1
Device   001606002115
IP Protocol   tcp
Log Action  
Bytes   10,271
Bytes Received   8,546
Bytes Sent   1,725
Repeat Count   1
Packets   20
Packets Received   10
Packets Sent   10
Source
Source User   amb\renato
Source address   172.16.20.2
Source Country   172.16.0.0-172.31.255.255
Source Port   54739
Source Zone   L3_Trust
Inbound Interface   ethernet1/2
NAT Source IP   10.16.3.241
NAT Source Port   26212
Destination
Destination User  
Destination address   72.21.92.20
Destination Country   US
Destination Port   80
Destination Zone   L3_Untrust
Outbound Interface   ethernet1/1
NAT Destination IP   72.21.92.20
NAT Destination Port   80
Time
Generate Time   2013/05/28 11:58:40
Start Time   2013/05/28 11:57:52
Receive Time   2013/05/28 11:58:39
Elapsed Time (sec)   18
Misc
Captive Portal  
Proxy Transaction  
Decrypted  
Packet Capture  
Client to Server  
Server to Client  
Related Logs (+/- 24 Hours)
Receive TimeLogTypeApplicationActionRuleBytesPacketsSeverityCategoryURL / Filename
05/28 11:57:52threaturlweb-browsingalerttest group informationalcomputer-and-internet-infowww.speedtest.net/
05/28 11:58:39trafficendweb-browsingallowtest group10,27120

Thanks. That's strange. If I do a search on a specific session ID like you did, the related logs show up. If I randomly pick any other web-browsing traffic log, the related logs do not show.

Searched traffic logs and found one where there was no correlating "URL" threat log. So I scoured the url logs and filtered by dst ip and src port equivalent to what was detected via the traffic log and sure enough, no URL log found .

5-28-2013 1-17-20 PM.png

5-28-2013 1-17-36 PM.png

Not in my case. I definitely have corresponding URL logs that do not show up in related logs. 100%

Perhaps a call into Support would be more feasible so we can dissect this further?     

will do. thanks for your help!

  • 3267 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!