Monitoring Web Activity

Table of Contents

Monitoring Web Activity

Monitor the web activity on your network to understand the sites your users are accessing and develop web access policies for your organization.

Where can I use this?	What do I need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	Advanced URL Filtering license (or a legacy URL filtering license) Notes: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported. `Prisma Access` licenses include Advanced URL Filtering capabilities.

Effective monitoring of web activity requires understanding the various tools available across Palo Alto Networks platforms and how to use them for different objectives. For example, you might use dashboards or download a report to identify patterns in web activity instead of analyzing numerous log entries. Querying URL filtering logs for a specific issue might be more useful when troubleshooting. Regardless of your objective and platform, Palo Alto Networks provides multiple ways of monitoring and analyzing web activity on your network.

Each monitoring tool serves different analysis needs. In general:

Dashboards provide high-level, interactive overview of specific metrics.
Reports provide actionable summaries for information typically bounded by specific time intervals.
Logs offer detailed session information for investigations.

In addition to familiarizing yourself with various monitoring tools, consider doing the following:

Examine multiple data sources. Don't just look at URL filtering or URL-related data, as this may form an incomplete picture. Examine application data for insights into URL and user web activity that was detected by App-ID.
Understand what normal web activity patterns look like, so that you can identify anomalies later on.
Familiarize yourself with each of the tools and features listed for a given platform. Look at different formats (dashboards, reports, logs) to see how the information appears in the different formats.
Create custom dashboards and reports to highlight the metrics that matter most.
Schedule regular reviews of web activity, not just when an incident occurs.

The following table lists monitoring features for different platforms. For an overview of these tools, click on a listed feature or check out the tabs for a given platform.

Platform	Ways to View User Web Activity
Strata Cloud Manager	Strata Command Center Log Viewer Activity Insights Reports (SCM) Search
PAN-OS & Panorama	Application Command Center URL filtering logs Reports

Monitoring Web Activity (Strata Cloud Manager)

The following list describes Strata Cloud Manager features that provide rich URL filtering and web activity data or serve as important tools for finding, analyzing, or sharing this data. To learn more about a specific feature, click on the corresponding link.

Strata Command Center
The Strata Command Center is the homepage of Strata Cloud Manager and aggregates data from various sources to provide a high-level view of the operational health, data security, and threats across your Prisma Access and NGFW deployments.
Dashboards
Interactive dashboards give you a comprehensive view of the applications, ION devices, threats, users, and security subscriptions at work in your network. Some dashboards are more relevant than others for the purposes of monitoring web activity and URL filtering activity on your network. These dashboards are described below:
- Activity Insights—This dashboard is separate from the dashboards you access from the Dashboards menu. You can view consolidated data on network traffic, URL, application usage, threats, and user activity from this dashboard, which features visualization, monitoring, and reporting capabilities. Activity Insights shows aggregated data per Strata Logging Service tenant deployed in Prisma Access and NGFW environments.
- Executive Summary (URL Filtering)—See which URL categories account for the most web activity in your network, the top 10 malicious URLs, and top 10 high-risk URLs. This is one of the most relevant dashboards for viewing URL filtering activity.
- Threats—A holistic view of all threats that Advanced URL Filtering and other Palo Alto Networks security services detected and blocked in your network. You can view threat trends, impacted applications, users, and Security policy rules that are allowing or blocking threats.
- Applications—See an overview of the applications on your network, including their risk, sanction status, bandwidth consumed, and the top users of these applications.
- Users—See individual users’ browsing patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to access high-risk sites. The data from your URL Filtering logs and the Cloud Identity Engine enable this visibility.
  
  To access user activity data and share reports easily and securely, activate and configure the Cloud Identity Engine.
- Rules—View the Security policy rules that are matched against all the traffic in your network. Review the most matched rules to the traffic sessions, analyze those sessions to understand if the rule is overly permissive and optimize the rule if needed.
Log Viewer
Your logs provide an audit trail for system, configuration, and network events. Jump from an Activity dashboard to your logs, filter by URLs to get details and investigate findings.
Search
Use the search on Strata Cloud Manager and enter a security artifact (an IP address, domain, URL, or file hash) to interact with data just for that artifact, drawn from both your network and global threat intelligence findings. For example, you can search an IP address to view the total number of times the IP address was detected over the past 30 days.
Reports
View predefined reports and options for scheduling reports, downloading, and sharing a report at any time for offline viewing. The following reports are most relevant to URL filtering:
- Activity Insights - Summary
- App Usage Report
- Executive Summary
- User Activity

Monitoring Web Activity (PAN-OS & Panorama)

For a quick view of the most common categories users access in your environment, check the ACC widgets. Most Network Activity widgets allow you to sort on URLs. For example, in the Application Usage widget, you can see that the networking category is the most accessed category, followed by encrypted tunnel, and ssl. You can also view the list of Threat Activity and Blocked Activity sorted on URLs.

View logs and configure log options:
From the ACC, you can jump directly to the logs (

) or select MonitorLogsURL Filtering.
The log action for each entry depends on the Site Access setting you defined for the corresponding category:
- Alert log—In this example, the computer-and-internet-info category is set to alert.
- Block log—In this example, the insufficient-content category is set to continue. If the category had been set to block instead, the log Action would be block-url.
- Alert log on encrypted website—In this example, the category is private-ip-addresses and the application is web-browsing. This log also indicates that the firewall decrypted this traffic.
The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined by inline ML-based analyzers.
- The Inline ML verdict applies to URLs that have been categorized using the locally operated URL Filtering Inline ML on PAN-OS 10.0/10.1.
  
  The following verdicts are available:
  - Phishing—phishing attack content detected by local inline ML.
  - Malicious-javascript—malicious javascript content detected by local inline ML.
  - Unknown—URL was categorized and content determined to be benign.
- The Inline Categorization verdict applies to URLs that have been categorized using both the locally operated URL Filtering Inline ML (which was renamed to local Inline Categorization in PAN-OS 10.2) as well as cloud Inline Categorization, operating in the Advanced URL Filtering cloud. The specific type of attack is specified under the category column in the log.
  
  The following verdicts are available:
  - Local—malicious content detected using local inline categorization.
  - Cloud—malicious content detected using the cloud inline categorization engine located in the Advanced URL Filtering cloud.
  - N/A—URL was not analyzed by the local or cloud inline categorization engines.
You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type, and whether or not a packet capture was performed. To modify what columns to display, click the down arrow in any column and select the attribute to display.
To view the complete log details and/or request a category change for the given URL that was accessed, click the log details icon in the first column of the log.
Generate predefined URL filtering reports on URL categories, URL users, Websites accessed, Blocked categories, and more.
Select MonitorReports and under the URL Filtering Reports section, select one of the reports. The reports cover the 24-hour period of the date you select on the calendar. You can also export the report to PDF, CSV, or XML.