Risk Category Appears Instead of Valid Category Under URL Filtering Log
Created On 04/19/19 04:13 AM - Last Updated 04/19/19 15:45 PM
After upgrade PAN-OS to 9.0, risk category appears in the category column instead of the actual category under the URL filtering log.
NOTE: We are starting to support multi-category URL Filtering in PAN-OS 9.0. Review this article for more information: Multi-Category URL Filtering.
This is expected behavior when you set the same action for both categories, which are on URL Category List. For example, you set all categories to alert, and there is no priority among the predefined categories. The matched category could be either one of the URL categories. PAN-OS matches the URL to a category in alphabetical order and chooses to log the latest category.
If the URL matches "music" and "low-risk," you will see "music" in category column just as you see in PAN-OS 8.1 and earlier. However, if the URL matches "financial-services" and "low-risk," you can see "low-risk" in the category column.
When a URL has multi-category that are set to different actions, the strictest URL filtering profile action is chosen and logged. From the most strict to the least strict actions are as follows: block, override, continue, alert, and allow.
Therefore, if you want to see the same category as a previous PAN-OS version, you are able to achieve it when you set "allow" as the risk categories action. Below are the steps to make that change.
STEP 1: Log on to the web interface
STEP 2: Click the Objects tab
STEP 3: Click URL Filtering on the left menu
STEP 4: Click the specific URL Filtering Profile name
STEP 5: Change action to "allow" on risk category
STEP 6: Click OK to close the profile
STEP 7: Click Commit on the top right corner to apply setting
For additional information about this topic, please review the following articles: