Issue
A custom URL category for CSV files is entered into a URL filtering profile for the purposes of monitoring the downloading of a CSV file from a server. However, when the CSV file is accessed and downloaded, a URL filtering log entry is not generated.
Details
The following screenshot displays an example of custom URL category for a CSV file:
The custom URL category is entered into a URL Filtering Profile:
The session information from the Palo Alto Networks firewall indicate that the custom URL category has been detected:
> show session all
---------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto
Vsys Dst[Dport]/Zone
---------------------------------------------------------------------
2 web-browsing ACTIVE FLOW 172.16.1.200[4001]/TapZone/6
vsys1 172.16.1.100[80]/TapZone
> show session id 2
Session 2
c2s flow:
source: 172.16.1.200 [TapZone]
dst: 172.16.1.100
proto: 6
sport: 4001 dport: 80
state: ACTIVE type: FLOW
s2c flow:
source: 172.16.1.100 [TapZone]
dst: 172.16.1.200
proto: 6
sport: 80 dport: 4001
state: ACTIVE type: FLOW
start time : Fri Nov 30 06:47:06 2012
timeout : 30 sec
time to live : 21 sec
total byte count(c2s) : 4038
total byte count(s2c) : 45020
layer7 packet count(c2s) : 23
layer7 packet count(s2c) : 34
vsys : vsys1
application : web-browsing
rule : URL Filtering <- URL Filtering rule triggered
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled : True
URL category : CSV <- Custom URL category
ingress interface : ethernet1/3
egress interface : ethernet1/3
Resolution
Check the "Content-Type" of http response header from the web server.
Example:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
expires: 0
Content-Disposition: attachment;filename="download_test_file.csv"
Content-Type: text/csv <- Note that the value for content-type is: text/csv
Pragma: no-cache
Cache-control: max-age=0
Connection: close
Transfer-Encoding: chunked
To resolve the issue, add the text/csv content-type to the Container Pages on the Palo Alto Networks firewall:
- Navigate to the Device > Setup > Content-ID page
- Click Container Pages
- Click Add and add an entry for text/csv
owner: kkondo