Risk Category Appears Instead of Valid Category Under URL Filtering Log

22478

Created On 04/19/19 04:13 AM - Last Modified 04/19/19 15:45 PM

Threat Log

URL Category

URL Filtering Log

URL Filtering

9.0

PAN-OS

Symptom

After upgrade PAN-OS to 9.0, risk category appears in the category column instead of the actual category under the URL filtering log.
Risk Category shows in Category column

NOTE: We are starting to support multi-category URL Filtering in PAN-OS 9.0. Review this article for more information: Multi-Category URL Filtering.

Environment

PAN-OS 9.0

Cause

This is expected behavior when you set the same action for both categories, which are on URL Category List. For example, you set all categories to alert, and there is no priority among the predefined categories. The matched category could be either one of the URL categories. PAN-OS matches the URL to a category in alphabetical order and chooses to log the latest category.

If the URL matches "music" and "low-risk," you will see "music" in category column just as you see in PAN-OS 8.1 and earlier. However, if the URL matches "financial-services" and "low-risk," you can see "low-risk" in the category column.

Resolution

When a URL has multi-category that are set to different actions, the strictest URL filtering profile action is chosen and logged. From the most strict to the least strict actions are as follows: block, override, continue, alert, and allow.

Therefore, if you want to see the same category as a previous PAN-OS version, you are able to achieve it when you set "allow" as the risk categories action. Below are the steps to make that change.

STEP 1: Log on to the web interface
STEP 2: Click the Objects tab
STEP 3: Click URL Filtering on the left menu
STEP 4: Click the specific URL Filtering Profile name
STEP 5: Change action to "allow" on risk category
STEP 6: Click OK to close the profile
STEP 7: Click Commit on the top right corner to apply setting
Set action to allow on low-risk.png

Additional Information