URL logs missing for Traffic through alert only URL category / profile.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL logs missing for Traffic through alert only URL category / profile.

L2 Linker

Hi All,

Software Version 11.1.2-h3

 

We have a strange situation: Some URL filtering log entries for valid visits to web sites are missing. The traffic goes through a security rule which has a URL filtering profile with only alert and block categories. We have both Pan-db and Advanced URL filtering licenses.   

 

We can see the traffic in the main traffic log but no corresponding entry in the URL filtering log. 

 

Strangely though, if we create a custom URL category with the web site in question added and then set that to alert in the URL profile then the URL log appears. if you remove it from the custom url category and browse to the web site. URL filtering log doesn't show the relevant entry.

I have come across at least one other community entry on a similar case.

 

Any help would be welcome. Just waiting for TAC to get involved. 

 

Thanks,

4 REPLIES 4

Community Team Member

Hi @uduwawalan ,

 

I'm wondering if the websites that aren't populating in the URL filtering logs are properly categorized. If you check https://urlfiltering.paloaltonetworks.com/ and enter the websites that aren't populating. Do they come up with a category that you specified as "alert" within your URL filtering profile? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Community Team Member

Please share any details you receive from TAC as they might be helpful for future users. Thanks! 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks.

 

Yes they are being categorized as the websites are quite standard ones that we are testing. for example "Marksand spencer.com" or qad.com or oracle.com which are well known web sites and are categorized if you run the command test url "......." in the CLI of the box. It's quite strange.

 

I just put in a test policy targeting a test workstation with a URL profile that had all categories blocked. That just allowed the traffic through. I could see some entries in the traffic log that said "block-url" but they were not relevant to the web sites I was browsing to.

So I added the these websites to custom category.. They then appeared in the URL log and got blocked but no block message from the Palo box.Just a "site can't be reached" message. 

TAC are apparently reviewing the Techsupport file and other info our support company provided. 

The term Rome is burning while nero played violin comes to mind.

 

Not a very pleasant situation to find yourself in.

L2 Linker

In the end, no one from TAC contacted us. Our own support provider,observed in the config xml that in case of a few url entries in the url categories, there was a strange set of characters were appended. This set of characters as follows -  "&#x200B. Apparently these characters are appended if you inadvertently leave a space at the end of url entry when you add them to url categories when creating customer categories.

 

So we save a config, exported it out, did a search and replace of all the instances. We then saved the config xml file.Imported the config file and committed the change.

 

So far all seems fine so far.

I am very disappointed with Palo TAC. this was a case where quick intervention  was necessary and we have managed to fix the problem days after, by ourselves largely.

 

What is point of paying for support when it's not there when you need it?

  • 1262 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!