06-13-2017 12:33 PM
I have been tweeking reports on these Palos we purchases (3020) and trying to find a good Web Browsing/Filtering report to provide for senior management that will encompass top xx users with most visited external sites, preferrably with the duration on each site; However, as of yet I have not been able to customize a report that is easy to read and accurate.
My findings are that even embedded links (like facebook) come up on a users web browsing history even if they never actually went to facebook.
Does anyone have any good recommendations or guides for creating a decent report that doesn't include things like embedded links that make it very difficult to see a users actual browsing history?
Any assistance/guidance is appreciated!
(On a side note, I am fairly new to Palo Alto Firewalls so it may help to use small words in responses!)
06-15-2017 01:56 PM
Hello,
For executives I always provide as top level as possible, they get lost in the details and if they wanted more they can ask for it. I have my PAN's send me daily reports of the previous days following:
URL Categories
Blocked Categories
They are builtin; Montiro tab -> Reports (left side) -> URL Filtering Reports (right side)
I found that these usually generate enough questions without becoming too burdensome for them or myself. I dont think you can show how long someone visited the site for, but you can see how many times they visited the site and how much data was transfered.
Hope that helps!
06-16-2017 12:31 PM - edited 06-16-2017 12:32 PM
Hi Otakar,
That does help and it is good information. Unfortunately they want something a little more specific than just categories and blocked sites. But any report I try to make more informational has TOO much (i.e. static.ak.fbcdn.net for facebook links) even though the individual never actually visited the site.
Other "junk" if you will are all the external microsoft links etc that the user isnt actually browsing to but comes up in the web filter as a connection since the user was logged in at the time (examples: update.windows.com etc).
So, while you're answer for most situations would be very very helpful for my execs, in this specific situation they want more details and I can't seem to find a way without all the 'junk'.
Thank you for the recommendation, I think this is going to be a good daily/weekly report to have sent CIO.
06-16-2017 12:55 PM
Hmm, how about starting off with a template and customizing from there?
Montiro -> Manage Custom Reports -> Add
Click 'Load template' from the upper left, I selected the 'Top URL Users' and then added URL as a column. Seems to have truncated the URL's quite a bit.
06-16-2017 12:56 PM
If you're using custom reports, you could filter out some of the noisier URLs by adding a custom query such as:
and not (url contains fbcdn) and not (url contains someothersite) and not (url contains somethirdsite)
or entire categories
and not (category eq web-advertisements)
If you're using the "User Activity Reports", disable the detailed URL information and train your management to look at the first couple of sections: Applications & URL Category Summary... and then if they want more detail they can keep reading through the report to more of the nitty-gritty details.
Pro-tip: before handing a user-based report to a manager, provide that manager their own user-based report... so when they see some of the "noise" on an employee report - they already have a feel for what's normal & expected because they see it on their own report.
Another approach might be to provide less detail to senior management. ie: these are the users with the most visits to external sites and their categories - don't get to specific URLs/Domains. And then when they ask, you can provide additional detail.
Not a perfect answer, but hopefully gives you some ideas as you move forward with reporting. Good luck!
06-16-2017 12:58 PM
I will play with this configuration and see if I can't find a way to get this in a presentable fashion they like!
Thank you very much!
06-16-2017 01:00 PM
jvalentine,
Thank you for the suggestions, I didn't notice there was the option to filter out: "noisier URLs by adding a custom query such as:
and not (url contains fbcdn) and not (url contains someothersite) and not (url contains somethirdsite)
or entire categories
and not (category eq web-advertisements)"
I will look into this more as filtering out the 'junk' may be a simple matter (lot's of query, but simple to build once identified)!
Very much appreciated!
06-16-2017 01:03 PM
You can use that in the 'Query Builder' section of the custom reporting module (you can see the field in @OtakarKlier's screenshot)
06-16-2017 01:03 PM
Love the Pro tip :). Gotta use it more often...
Pro-tip: before handing a user-based report to a manager, provide that manager their own user-based report... so when they see some of the "noise" on an employee report - they already have a feel for what's normal & expected because they see it on their own report.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
