Palo Alto Networks Knowledgebase: URL Filter Log Not Generated by Custom URL Category for CSV File

URL Filter Log Not Generated by Custom URL Category for CSV File

3106
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:39 PM
Policy
Resolution

Issue

A custom URL category for CSV files is entered into a URL filtering profile for the purposes of monitoring the downloading of a CSV file from a server. However, when the CSV file is accessed and downloaded, a URL filtering log entry is not generated.

 

Details

The following screenshot displays an example of custom URL category for a CSV file:

Screen Shot 2013-02-25 at 10.37.54 AM.png

 

The custom URL category is entered into a URL Filtering Profile:

Screen Shot 2013-02-25 at 10.40.28 AM.png

 

The session information from the Palo Alto Networks firewall indicate that the custom URL category has been detected:

> show session all

---------------------------------------------------------------------

ID      Application    State Type Flag  Src[Sport]/Zone/Proto

Vsys Dst[Dport]/Zone

---------------------------------------------------------------------

2 web-browsing  ACTIVE  FLOW 172.16.1.200[4001]/TapZone/6

vsys1 172.16.1.100[80]/TapZone

 

> show session id 2

Session 2

        c2s flow:

          source:      172.16.1.200 [TapZone]

          dst:        172.16.1.100

          proto:      6

          sport:      4001            dport:      80

          state:      ACTIVE          type:      FLOW

 

        s2c flow:

          source:      172.16.1.100 [TapZone]

          dst:        172.16.1.200

          proto:      6

          sport:      80              dport:      4001

          state:      ACTIVE          type:      FLOW

 

      start time                    : Fri Nov 30 06:47:06 2012

        timeout                      : 30 sec

        time to live                  : 21 sec

        total byte count(c2s)        : 4038

        total byte count(s2c)        : 45020

        layer7 packet count(c2s)      : 23

        layer7 packet count(s2c)      : 34

        vsys                          : vsys1

      application                  : web-browsing

        rule                          : URL Filtering    <- URL Filtering rule triggered

        session to be logged at end  : True

        session in session ager      : True

        session synced from HA peer  : False

        layer7 processing            : enabled

        URL filtering enabled        : True

        URL category                 : CSV                       <- Custom URL category

        ingress interface            : ethernet1/3

        egress interface             : ethernet1/3

 

Resolution

Check the "Content-Type" of http response header from the web server.

Example:

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

expires: 0

Content-Disposition: attachment;filename="download_test_file.csv"

Content-Type: text/csv                 <- Note that the value for content-type is: text/csv

Pragma: no-cache

Cache-control: max-age=0

Connection: close

Transfer-Encoding: chunked

 

To resolve the issue, add the text/csv content-type to the Container Pages on the Palo Alto Networks firewall:

  1. Navigate to the Device > Setup > Content-ID page
  2. Click Container Pages
  3. Click Add and add an entry for text/csv
    Screen Shot 2013-02-25 at 9.42.22 AM.png

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClwWCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language