Palo Alto Firewall Actions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto Firewall Actions

L1 Bithead

Hi folks, I am not much familiar with palo alto logs as we're getting logs in siem console in which event name is url filtering and action for this event is allow so can someone please shed some light on this issue?

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @simr12 , Both actions will simply allow traffic coming for the destination URL. Only difference would be -

 

Alert - Traffic will be allowed for the URL and it will also add log entry for this under URL filtering logs.

Allow - Traffic will be allowed without any log entry under URL filtering logs. Basically this action type won't give you visibility into allowed URL as there will be no log entry for it.

 

Hope it helps!

Mayur

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @simr12 ,

 

This doesn't sound like an issue. Those must be URL filtering logs which are allowing via firewall. To get more clarity on the logs, you can check those logs on firewall under Monitor-->URL Filtering tab. Here you will see which URL is getting allowed and who is accessing it. Also you can identify which particular security policy is allowing it. 

 

Hope it helps!

Mayur

Thanks for the reply.
I mean to say if there are actions such as alert, allow for the events url filtering and the event description for this Url detected but not blocked so would you please describe about these actions like what does it mean?

Cyber Elite
Cyber Elite

Hi @simr12 , Both actions will simply allow traffic coming for the destination URL. Only difference would be -

 

Alert - Traffic will be allowed for the URL and it will also add log entry for this under URL filtering logs.

Allow - Traffic will be allowed without any log entry under URL filtering logs. Basically this action type won't give you visibility into allowed URL as there will be no log entry for it.

 

Hope it helps!

Mayur

Thanks for the help. It makes more sense. You really gave a well explanation.

 

But I would like to know about the PA firewall payload logs for traffic sometimes it's hard for me to understand it.

for eg: if the event name is traffic end and the low-level category is firewall permit. The action for this event is allowed.

could you please describe to me the payload information that we see in any SIEM solution such as IBM Qradar like which information in the payload should we focus on more?

 

Cyber Elite
Cyber Elite

Thank you for this discussion and going through this topic @simr12 @SutareMayur 

 

I am sorry, I have one question to this topic. I was living under impression that URL category with site access "allow" will not generate any log. If there is no URL log generated by Firewall, how is it possible that there is log being sent to SIEM mentioned in this post?

 

Thank you in advance & Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!