Advanced URL Filtering
Monitoring Web Activity
Table of Contents
Monitoring Web Activity
Monitor the web activity on your network to understand
the sites your users are accessing and develop web access policies
for your organization.
Where can I use this? | What do I need? |
---|---|
|
Notes:
|
You can view various dashboards, reports, and logs to review
and analyze web activity on your network. For example, on PAN-OS
next-generation firewalls, the Application Command Center (ACC),
URL filtering logs and reports show all user web activity for URL
categories that are set to alert, block, continue,
or override. By monitoring user activity
with the following tools, you can gain a better understanding of
the web activity of your user base and determine appropriate web
access policy rules.
Platform | Ways to View User Web Activity |
---|---|
PAN-OS & Panorama |
|
Prisma Access |
|
Monitoring Web Activity (Strata Cloud Manager)
Regardless of the interface you’re using to manage Prisma Access (Panorama or Strata Cloud Manager), the Activity pane in Strata Cloud Manager provides a
comprehensive view of what’s happening in your network. Various dashboards compose the Activity pane,
which is available in the Strata Cloud Manager and Device Insights application. You
can also share Activity data with other users in your organization.
The following interactive dashboards
help you monitor and analyze web activity on your network:
- Threat Insights—A holistic view of all threats that Advanced URL Filtering and other Palo Alto Networks security services detected and blocked in your network. You can view threat trends, impacted applications, users, and Security policy rules that are allowing or blocking threats.
- Log Viewer —Your logs provide an audit trail for system, configuration, and network events. Jump from an Activity dashboard to your logs to get details and investigate findings.
- Application Usage —See an overview of the applications on your network, including their risk, sanction status, bandwidth consumed, and the top users of these applications.
- Executive Summary (URL Filtering)—See which URL categories account for the most web activity in your network, the top 10 malicious URLs, and top 10 high-risk URLs.
- User Activity—See individual users’ browsing patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to access high-risk sites. The data from your URL Filtering logs and the Cloud Identity Engine enable this visibility.
- To access user activity data and share reports easily and securely, we recommend activating and configuring the Cloud Identity Engine.
Additional Visibility
and Methods of Monitoring:
- The Reports pane includes options for scheduling report delivery or downloading and sharing a report at any time for offline viewing.
- You can also Search for a security artifact (an IP address, domain, URL, or file hash) to interact with data just for that artifact, drawn from both your network and global threat intelligence findings.
- Open an Activity dashboard.
- Select ActivityThreat Insights | Application Usage | User Activity | Executive Summary.To view the executive summary for URL Filtering, you’ll need to click the URL Filtering tab upon landing on the dashboard.
- To access the Log Viewer, select ActivityLogsLog Viewer.
Monitoring Web Activity (PAN-OS & Panorama)
- For a quick view of the most common categories users access in your environment, check the ACC widgets. Most Network Activity widgets allow you to sort on URLs. For example, in the Application Usage widget, you can see that the networking category is the most accessed category, followed by encrypted tunnel, and ssl. You can also view the list of Threat Activity and Blocked Activity sorted on URLs.View logs and configure log options:From the ACC, you can jump directly to the logs (The log action for each entry depends on the Site Access setting you defined for the corresponding category:
- Alert log—In this example, the computer-and-internet-info category is set to alert.
- Block log—In this example, the insufficient-content category is set to continue. If the category had been set to block instead, the log Action would be block-url.
- Alert log on encrypted website—In this example, the category is private-ip-addresses and the application is web-browsing. This log also indicates that the firewall decrypted this traffic.
The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined by inline ML-based analyzers.- The Inline ML verdict applies to URLs that have been categorized using the locally operated URL Filtering Inline ML on PAN-OS 10.0/10.1.The following verdicts are available:
- Phishing—phishing attack content detected by local inline ML.
- Malicious-javascript—malicious javascript content detected by local inline ML.
- Unknown—URL was categorized and content determined to be benign.
- The Inline Categorization verdict applies to URLs that have been categorized using both the locally operated URL Filtering Inline ML (which was renamed to local Inline Categorization in PAN-OS 10.2) as well as cloud Inline Categorization, operating in the Advanced URL Filtering cloud. The specific type of attack is specified under the category column in the log.The following verdicts are available:
- Local—malicious content detected using local inline categorization.
- Cloud—malicious content detected using the cloud inline categorization engine located in the Advanced URL Filtering cloud.
- N/A—URL was not analyzed by the local or cloud inline categorization engines.
You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type, and whether or not a packet capture was performed. To modify what columns to display, click the down arrow in any column and select the attribute to display.To view the complete log details and/or request a category change for the given URL that was accessed, click the log details icon in the first column of the log.Generate predefined URL filtering reports on URL categories, URL users, Websites accessed, Blocked categories, and more.Select MonitorReports and under the URL Filtering Reports section, select one of the reports. The reports cover the 24-hour period of the date you select on the calendar. You can also export the report to PDF, CSV, or XML.