02-19-2018 10:27 AM
Hi
When users are accessing internal portal then they are getting "Virus/spware download blocked" on browser with file name (althrough they are not accessing this file) but there is no virus/spyware logs in threat monitor tab.
Any pointers how to fix this?
02-19-2018 11:00 AM
You have identified that this block page is presented by Palo?
All your security policies have "Log at Session End" checked on Actions tab?
Do you see those threat events in ACC? Be aware ACC has 15 minute delay.
02-19-2018 12:11 PM - edited 02-19-2018 12:15 PM
@Raido_Rattameister thanks.
You have identified that this block page is presented by Palo?
Yes becuase it is the default block page by Palo Alto firewall
All your security policies have "Log at Session End" checked on Actions tab? Yes I double checked that
Do you see those threat events in ACC? Be aware ACC has 15 minute delay.
I cannot see this here but I can see "others" with count 10
02-19-2018 02:39 PM
Have you taken a packet capture of the effected machine just to verify that they truthfully aren't trying to access the file-name indicated? It could be that the machine is infected with spyware/malware and they are trying to inject something into the browser page, or that they are getting redirected to a download page other than the page they were hoping to go to?
02-19-2018 09:45 PM
@BPry thanks but why I am not getting threat logs for this 😞
02-20-2018 05:53 AM
That would depend on your configuration; what does your security profile assigned actually look like?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
