Does the URL filter at urlfiltering.paloaltonetworks.com have anything to do with how a Palo Alto firewall classifies the 'type' of site?
I noticed that there are some sites that our firewall classifies as 'spyware' that the URL filtering site classifies as other (not malicious) categories.
I'm trying to understand what is the most expedient way to identify and block malicious traffic. It is unclear to me if I should be reviewing sites based on the URL filter and if it is worthwhile to submit change requests for the category? And if the URL filter identifies something as malicious, do I still need to block it at the firewall?
Spyware log entry has nothing to do with website classification and URL filtering. It means that a file (or extension or script...) has been found in traffic which is recognised as spyware. This can me something really malicious like keylogger or just some toolbar which is recognised as adware.
URL filtering deals with website categorisation. There is a 'malware' category. But not all spyware is malicious (tho i guess this depends on what you refer to as malicious). So I guess it depends upon what type of spyare was detected to decide whther you should request change of category of website.
Abaut what a good practice to stop malware is; use evertyhing you have.
URL filtering to block users from visiting malware websites, anti-spyware to block at least medium and higher severity spyware, IPS to protect client vulnerabilities and prevent transfer of exploit kits, anti-virus to prevent transfers of payloads... And a good endpoint protection for everything that FW doesn't see.
Are you talking about seeing 'spyware' entries in the threat logs or is your URL Filtering actually kicking in and blocking you from getting from these sights. If it's the log entries that's actually normal and a good thing that the firewall is catching them, hopefully you are blocking or otherwise taking action on them; if your URL Filtering is kicking in when it shouldn't be you may have to change how often your grabbing the updates, it could be that they were categorized correctly at the time but your update is timed long enough that they allow it to get out of sync with what you are seeing on the website.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!