12-29-2021 03:56 PM
Hi folks, I am not much familiar with palo alto logs as we're getting logs in siem console in which event name is url filtering and action for this event is allow so can someone please shed some light on this issue?
01-04-2022 04:15 AM
Hi @simr12 , Both actions will simply allow traffic coming for the destination URL. Only difference would be -
Alert - Traffic will be allowed for the URL and it will also add log entry for this under URL filtering logs.
Allow - Traffic will be allowed without any log entry under URL filtering logs. Basically this action type won't give you visibility into allowed URL as there will be no log entry for it.
Hope it helps!
12-29-2021 11:08 PM - edited 12-29-2021 11:10 PM
Hi @simr12 ,
This doesn't sound like an issue. Those must be URL filtering logs which are allowing via firewall. To get more clarity on the logs, you can check those logs on firewall under Monitor-->URL Filtering tab. Here you will see which URL is getting allowed and who is accessing it. Also you can identify which particular security policy is allowing it.
Hope it helps!
01-03-2022 03:29 PM
Thanks for the reply.
I mean to say if there are actions such as alert, allow for the events url filtering and the event description for this Url detected but not blocked so would you please describe about these actions like what does it mean?
01-04-2022 04:15 AM
Hi @simr12 , Both actions will simply allow traffic coming for the destination URL. Only difference would be -
Alert - Traffic will be allowed for the URL and it will also add log entry for this under URL filtering logs.
Allow - Traffic will be allowed without any log entry under URL filtering logs. Basically this action type won't give you visibility into allowed URL as there will be no log entry for it.
Hope it helps!
01-04-2022 04:42 PM
Thanks for the help. It makes more sense. You really gave a well explanation.
But I would like to know about the PA firewall payload logs for traffic sometimes it's hard for me to understand it.
for eg: if the event name is traffic end and the low-level category is firewall permit. The action for this event is allowed.
could you please describe to me the payload information that we see in any SIEM solution such as IBM Qradar like which information in the payload should we focus on more?
01-04-2022 05:30 PM - edited 01-04-2022 05:38 PM
Thank you for this discussion and going through this topic @simr12 @SutareMayur
I am sorry, I have one question to this topic. I was living under impression that URL category with site access "allow" will not generate any log. If there is no URL log generated by Firewall, how is it possible that there is log being sent to SIEM mentioned in this post?
Thank you in advance & Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
