Focus
Advanced URL Filtering

Monitoring

Table of Contents

Monitoring

Introduction to tools and tasks that help you monitor web activity on your network.
Where can I use this?What do I need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access licenses include Advanced URL Filtering capabilities.
Palo Alto Networks firewalls and management platforms provide multiple ways of monitoring web activity on your network. URL filtering logs, reports, and dashboards offer high-level and detailed visibility. For example, you can examine URL filtering logs for details about a specific web session or view a visual summary of threats blocked by Advanced URL Filtering and other services in the Application Command Center (ACC) or Strata Command Center. You can filter and query logs and dashboards to focus on the data that matters most. You can also generate, schedule, and share reports.
URL filtering logs display comprehensive information about web traffic controlled by your Security policy rules. These logs are a data source for the dashboards, reports, and other views that deliver actionable insights. The HTTP header logging and the log container page only features offer control over log detail and volume, respectively. HTTP header logging increases the granularity of logs, while logging only the main page users access reduces the number of logs generated.
URL filtering logs might not be generated if traffic is blocked by an App-ID rule rather than a URL category match. For comprehensive monitoring, review application usage and other statistics in addition to URL filtering and URL-specific data.
Regular monitoring of web activity is essential whether you're getting started with URL filtering or maintaining an established URL filtering policy. Monitoring web activity helps you understand user behavior, fine-tune web access rules, and take action on suspicious activity. For example, you might notice a spike in attempts to access a blocked website. This could indicate improper web usage, a security threat, or that a legitimate website is being blocked inadvertently. Insights from monitoring tools can help you focus investigations and take appropriate action. The tools described in this chapter help your team:
  • Understand user behavior and what's happening on your network. What websites and web applications are your users accessing? How frequently?
  • Optimize policies and other configuration components. Verify that Security policy rules, URL categorization, and configurations that impact URL filtering work as expected. What rules need modification? Do you need to modify website access for a particular user or group or in general? Do you need to make exceptions to the enforcement of a particular URL category?
  • Troubleshoot issues. Diagnose and resolve issues with website access, URL filtering response page displays, and incorrect URL categorization. You can also look at other data points and summaries to focus an investigation.
  • Identify known or unknown threats. What websites or web applications were accessed and blocked? What other actions might need to be taken?
  • Ensure compliance. Make sure users adhere to regulatory or business policies, such as acceptable web usage policies. You can filter web activity by users and create or modify Security policy rules.
If you believe a URL has been incorrectly categorized, you can request a URL category change.