Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
URL Filtering Block Showing End-Reason of Threat - Knowledge Base - Palo Alto Networks

URL Filtering Block Showing End-Reason of Threat

50772
Created On 04/08/19 21:49 PM - Last Modified 04/10/19 15:42 PM


Symptom


Web browser traffic for the same session being blocked by the URL filtering profile shows two separate log entries. One showing an "allow" action and the other showing "block-url." Although the traffic was blocked, there is no entry for this inside of the threat logs. 
User-added image
User-added image

Session ID for this is 73419. When searching for this session ID in the threat logs, there is no entries. 
User-added image


Cause


After session creation, the firewall will perform "Content Inspection Setup." The URL filtering engine will determine the URL and take appropriate action. 

This article explains URL filtering priority: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC


Resolution


For this traffic, the category "private-ip-addresses" is set to block. Once the firewall determines the URL is hitting a category set to block, the firewall will inject a block web page. There will be a log entry in the URL filtering logs showing the URL, the category, and the action taken. 
User-added image

As the block action for the URL filtering occurred in the content-ID engine, from the firewall perspective, the TCP session was handled without any block from the firewall engine. The firewall engine will view this session as allowed. The traffic is still blocked due to content-ID engine blocking. The result of this behavior will be two separate log entries for a single session.

As the content-ID engine blocked the session before the session timed-out, the block-URL action log entry will show a receive time of earlier than the firewall log entry with the "allow" action. 
User-added image

One important note is that not all sessions showing end-reason of "threat" will be logged in the threat logs. 

For reference, the following configurable profiles will have entries in the following logs.

Monitor > Logs:
  • Threat: Anti-Virus, Anti-Spyware, Vulnerability Protection, DoS Protection
  • URL Filtering: URL Filtering Profile
  • Data Filtering: File Blocking, Data Filtering


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSsCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language