Reporting issues - porn sites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Reporting issues - porn sites

L3 Networker

I got a very simple request this morning.

Show me logs of user X going to pornography sites.

I have 2 PA-4020s and Panorama. I know this traffic occured but cant generate it in report for anywhere.

This is a very critical and basic need.

Can anyone share techniques that help them get these reports?

Thanks,

Justin

8 REPLIES 8

L3 Networker

Have you looked in the ACC or in the URL log and verified you actually have the event logged? Did you look at the correct time frame when generating a custom report or using ACC? Start searching the URL log with something simple: (category eq adult-and-pornography).

I just built a custom custom report using (category eq adult-and-pornography) and adding the source user and URL in the columns, and it worked well. Just had to select the Panorama URL database.

Thanks for the replies. When I try to do a custom report for the past 2 months, it just hangs forever. Could you provide the query string you used or maybe a screen shot ? I was able to use the (category eq adult-and-pornography) string for the past week and then export that to excel.

I'd like to be able to have a functioning query that stated , USERX , adult-and-porn, return all data stored.

Not knowing how much data in stored is a problem. I wish we could get our hands into the database, or manage one ourselves in SQL.

I would try past week or past two weeks first. You may want to call Support and open a ticket if it's hanging.

The filters work like Wireshark. If you wanted to look for a certain users, you would this query: (user.src eq USERX) and (category eq adult-or-sexually-explicit)

You could also setup a SYSLOG forwarding profile.

Thanks again.. We were told that Panorama was the log manager. It's a firewall management station, and every other product on the market does long term log storage. If I have to go tell my boss we need another syslog instance he's going to say "Why the h*** did we buy Panorama". I'm starting to wonder that myself.

If your report is hanging and not returning a result then you definitely want to open a support case and have that investigated.

-Benjamin

Thanks.. I think I've resigned to send my URL logs to syslog for now. BUT, I'm having trouble even doing that. If someone does this could you attach a screen shot ? I just want to send URL logs, not threat, or traffic.

THanks,

Justin

URL Logs are part of the Threat logs. So you should be able to forward just the Threat logs to your syslog environment in this case.

-Benjamin

  • 4225 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!