URL category that is configured for "Allow" is being logged in the Panorama's URL filtering logs

URL category that is configured for "Allow" is being logged in the Panorama's URL filtering logs

2613
Created On 10/18/22 02:10 AM - Last Modified 04/29/24 23:02 PM


Symptom


  • A firewall is configured to block a few URL filtering categories, and alert on a few others.
  • The remaining categories are left as default 'allow' which does not generate logs.
  • The firewall is also configured to forward all URL logs to Panorama.
  • One of the firewall is populating the URL filtering logs to panorama for the 'allow' category.
  • This can be seen under GUI: Monitor > Logs > URL filtering, the "allow" action logs  are being logged and sent to Panorama (log forwarding)
URL filtering log

 

Environment


  • Panorama managed Palo Alto Firewalls
  • Supported PAN-OS
  • URL Filtering 
  • Logging Service
  • Cortex Data Lake

 

Cause


  • By default, categories set to allow do not generate URL filtering log entries.
  • With ‘Enable enhanced application logging to Logging Service’, URL filtering logs with ‘allow’ action are also be forwarded.

Resolution


  1. On Firewall go to GUI: Device > Setup  > Management > Logging Service, and edit Cortex Data Lake Settings.
  2. Uncheck "Enhanced Application Logging on the firewall"

1.PNG

  1. Now Select, GUI: Objects > Log Forwarding and Add or modify a log forwarding profile.
  2. Update the profile to uncheck "Enable enhanced application logging to the Logging Service".
  3. Commit the configuration.

2.PNG
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZbUCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail