About vulnerability protection and url filter action
cancel
Showing results for 
Search instead for 
Did you mean: 

About vulnerability protection and url filter action

L1 Bithead
I set medium to drop in the vulnerability protection profile, 
but when I check the log, Severity is medium, but action is alert. Why not drop?
If you check the verbose log, the type is url and action is alert. Severity is informational.
In this case, isn't url processing prioritized and not dropped?
4 REPLIES 4

L6 Presenter

Hi @t-katsuki ,

 

First where are you looking for the logs, i mean under Threat or URL filtering section? If you want to see vulnerability protection profile related logs, please check under threat logs tab. Also before checking logs under said tab, you need to have that profile to be mapped to the security policy which is allowing the traffic. Unless you have VP profile attached to the security policy, it wont come into picture while processing the traffic.

Mayur S.

L7 Applicator

there is a distinct diffeentce between vulnerability logs and url logs

 

an url log will always be severity informational, the action will depend on what the category action is set to, so might be alert (url allowed), block-ur, continue, ...

 

as you can see in the example below, there are 3 logs ssociated to a single session and all have a different severity and action

 

the traffic log in green is a simple allow rule, no severity. this is because the session was allowed intitially by the security policy

the url filtering log in red is informational and alert, because url logs are always informational, and the url category was allowed in the url filtering profile

the vulnerability profile in purple is critical and reset-both, because a vulnerability was found once the http connection started going and payload was transferred that contained something bad

 

2021-01-18_10-46-42.jpg

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

L1 Bithead

ありがとうございます。

セキュリティポリシーにセキュリティプロファイルが適用されているかどうかの確認は最も必要な点だと思います。脅威ログから該当の通信がセキュリティポリシーにヒットし、そのセキュリティポリシーにmedium drop の脆弱性防御カスタムプロファイルが適用されていることを確認できました。

Thank you very much. For the logs you send, if you set the vulnerability defense profile to drop severity critical Will action be drop?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!