This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About vulnerability protection and url filter action

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

About vulnerability protection and url filter action

t-katsuki
L1 Bithead

‎01-18-2021 01:25 AM 

I set medium to drop in the vulnerability protection profile, 
but when I check the log, Severity is medium, but action is alert. Why not drop? 
If you check the verbose log, the type is url and action is alert. Severity is informational. 
In this case, isn't url processing prioritized and not dropped?
0 Likes Likes
4 REPLIES 4

SutareMayur
L6 Presenter

‎01-18-2021 01:40 AM

Hi @t-katsuki ,

 

First where are you looking for the logs, i mean under Threat or URL filtering section? If you want to see vulnerability protection profile related logs, please check under threat logs tab. Also before checking logs under said tab, you need to have that profile to be mapped to the security policy which is allowing the traffic. Unless you have VP profile attached to the security policy, it wont come into picture while processing the traffic.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎01-18-2021 01:51 AM

there is a distinct diffeentce between vulnerability logs and url logs

 

an url log will always be severity informational, the action will depend on what the category action is set to, so might be alert (url allowed), block-ur, continue, ...

 

as you can see in the example below, there are 3 logs ssociated to a single session and all have a different severity and action

 

the traffic log in green is a simple allow rule, no severity. this is because the session was allowed intitially by the security policy

the url filtering log in red is informational and alert, because url logs are always informational, and the url category was allowed in the url filtering profile

the vulnerability profile in purple is critical and reset-both, because a vulnerability was found once the http connection started going and payload was transferred that contained something bad

 

2021-01-18_10-46-42.jpg

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

t-katsuki
L1 Bithead

‎01-18-2021 05:21 PM

ありがとうございます。

セキュリティポリシーにセキュリティプロファイルが適用されているかどうかの確認は最も必要な点だと思います。脅威ログから該当の通信がセキュリティポリシーにヒットし、そのセキュリティポリシーにmedium drop の脆弱性防御カスタムプロファイルが適用されていることを確認できました。

0 Likes Likes

t-katsuki
L1 Bithead
In response to reaper

‎01-18-2021 05:29 PM

Thank you very much. For the logs you send, if you set the vulnerability defense profile to drop severity critical Will action be drop?

0 Likes Likes
  • 3100 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks