Hi Folks,
It seems my whole life is a lie... Apparently PAN FW will generate URL log for category with action set to allow.
Yep, and the funnier thing is that you don't even need URL filtering profile applied on the rule. Someone may say I am crazy or I don't understand how PAN FWs work, probably both is true...But how would you explain the following:
Quick background we have IPsec VPN between two PAN fw and we manage both. We have decided to create "trust-all" rule on one end the tunnel and have specific rule only on one of the FWs. For that reason on the far end of the tunnel the rule is "allow any, without any security profile". Today something got my attention - you guess it - the rule without security profile was generating URL allow logs
Here is how the logs from both firewall looks like
And here is the rule without any security profile, that is generating URL log with action allow
It seems the cause of this phenomena is the Log Forwarding profile.
I was not able to find any other reference to this behavior, but I hope someone prove me wrong and provide any other documentation mentioning this behavior of Log Forwarding.
Please tell me I am not the only one who was not aware of this, I am flipping tables around here...
I am now more curious how this works, if no URL filtering profile is applied why FW is inspecting the SNI. For me this sounds like FW is still performing some kind of inspection (event without any security profile, nor decryption rule also), but will do it silently without generating any log. Until you apply log forwarding for all logs...
Hey @reaper ,
- The firewall that is generating the URL allow rule, doesn't have any decryption rule at the moment.
- Matching rule is actually around the bottom, but moving it higher, shouldn't make difference, because the matching source and destination objects are matching only that rule.
Hey @kat3xx ,
Indeed the log forwarding is set to forward any log
But this still doesn't explain why rule with no security profile will generate URL log?
