URL Filtering Block Showing End-Reason of Threat
50907
Created On 04/08/19 21:49 PM - Last Modified 04/10/19 15:42 PM
Symptom
Web browser traffic for the same session being blocked by the URL filtering profile shows two separate log entries. One showing an "allow" action and the other showing "block-url." Although the traffic was blocked, there is no entry for this inside of the threat logs.
Session ID for this is 73419. When searching for this session ID in the threat logs, there is no entries.
Cause
After session creation, the firewall will perform "Content Inspection Setup." The URL filtering engine will determine the URL and take appropriate action.
This article explains URL filtering priority: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Resolution
For this traffic, the category "private-ip-addresses" is set to block. Once the firewall determines the URL is hitting a category set to block, the firewall will inject a block web page. There will be a log entry in the URL filtering logs showing the URL, the category, and the action taken.
As the block action for the URL filtering occurred in the content-ID engine, from the firewall perspective, the TCP session was handled without any block from the firewall engine. The firewall engine will view this session as allowed. The traffic is still blocked due to content-ID engine blocking. The result of this behavior will be two separate log entries for a single session.
As the content-ID engine blocked the session before the session timed-out, the block-URL action log entry will show a receive time of earlier than the firewall log entry with the "allow" action.
One important note is that not all sessions showing end-reason of "threat" will be logged in the threat logs.
For reference, the following configurable profiles will have entries in the following logs.
Monitor > Logs:
- Threat: Anti-Virus, Anti-Spyware, Vulnerability Protection, DoS Protection
- URL Filtering: URL Filtering Profile
- Data Filtering: File Blocking, Data Filtering