05-21-2025 03:13 AM
So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing normal network traffic but not any log under Monitor > URL filtering.
Yes we do have URL filtering license, just so you now its working for a test rule where its allowed for any to any and we applied url filtering profile.
Please advice how i can see the denied URL logs. Thanks
05-21-2025 06:05 AM
As Palo is dropping packets matching drop/deny rule it can't perform deep packet inspection for this traffic so you can as well not apply security profiles to this policy - they won't be used anyway.
05-21-2025 06:09 AM
Just apply URL filtering profile to your outgoing rule where categories you want to permit are set to "alert" and those you don't want to permit are set to "block".
Then you see blocked URL categories matching your general outgoing rule.
05-22-2025 12:57 AM
It's important to consider a web browsing session is handled by 2 different 'layers' in the palo alto firewall
first, your security rule will allow or deny a session to flow based on the 6-tuple (source/destination zone, IP, port, protocol). The security rule only looks at basic IP information
Then, a rule can be instructed to also perform layer7 (deep packet) inspection. This causes the firewall to inspect the traffic at a different level and look at, for example, which URL is being requested inside the flow
The URL filtering profile will then determine if a connection is allowed (allow or alert action) or denied (block action) for that specific URL
this results in any web browsing session to have 2 verdicts: allow for the 'traffic' (layer3/4) and alert/block for the content (layer7)
To build a good web browsing policy, you should make a rule that allows traffic from trust to untrust, and has a url filtering profile that is configured to allow and block certain URL categories
In your traffic log this rule will always be 'allow', in your url filtering log this rule will sometimes be 'alert' and sometimes 'block'
by default any security rule that is set to deny or drop, will discard a session at a very early stage (oftentimes already discarding the SYN packet) so there is no layer7 inspection performed on these sessions
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
