Monitoring Web Activity
Advanced URL Filtering

Monitoring Web Activity

Table of Contents

Monitoring Web Activity

Monitor the web activity on your network to understand the sites your users are accessing and develop web access policies for your organization.
Where can I use this?
What do I need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    licenses include
    Advanced URL Filtering
You can view various dashboards, reports, and logs to review and analyze web activity on your network. For example, on PAN-OS next-generation firewalls, the Application Command Center (ACC), URL filtering logs and reports show all user web activity for URL categories that are set to
, or
. By monitoring user activity with the following tools, you can gain a better understanding of the web activity of your user base and determine appropriate web access policy rules.
Ways to View User Web Activity
PAN-OS & Panorama
  • Application Command Center (ACC)
    • Network Activity widgets
  • URL filtering logs
  • URL filtering reports
Prisma Access
  • Logs
  • Insights
  • Autonomous DEM
  • Activity

Monitoring Web Activity (
Strata Cloud Manager

Regardless of the interface you’re using to manage
Prisma Access
(Panorama or
Strata Cloud Manager
), the Activity pane in
Strata Cloud Manager
provides a comprehensive view of what’s happening in your network. Various dashboards compose the Activity pane, which is available in the
Strata Cloud Manager
and Device Insights application. You can also share Activity data with other users in your organization.
The following interactive dashboards help you monitor and analyze web activity on your network:
  • —A holistic view of all threats that Advanced URL Filtering and other Palo Alto Networks security services detected and blocked in your network. You can view threat trends, impacted applications, users, and Security policy rules that are allowing or blocking threats.
  • —Your logs provide an audit trail for system, configuration, and network events. Jump from an Activity dashboard to your logs to get details and investigate findings.
  • —See an overview of the applications on your network, including their risk, sanction status, bandwidth consumed, and the top users of these applications.
  • Executive Summary (
    URL Filtering
    —See which URL categories account for the most web activity in your network, the top 10 malicious URLs, and top 10 high-risk URLs.
  • —See individual users’ browsing patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to access high-risk sites. The data from your URL Filtering logs and the Cloud Identity Engine enable this visibility.
Additional Visibility and Methods of Monitoring:
  • The Reports pane includes options for scheduling report delivery or downloading and sharing a report at any time for offline viewing.
  • You can also Search for a security artifact (an IP address, domain, URL, or file hash) to interact with data just for that artifact, drawn from both your network and global threat intelligence findings.
  • Open an Activity dashboard.
    • Select
      Threat Insights | Application Usage | User Activity | Executive Summary
      To view the executive summary for URL Filtering, you’ll need to click the URL Filtering tab upon landing on the dashboard.
    • To access the Log Viewer, select
      Log Viewer

Monitoring Web Activity (

  • For a quick view of the most common categories users access in your environment, check the
    widgets. Most
    Network Activity
    widgets allow you to sort on URLs. For example, in the Application Usage widget, you can see that the networking category is the most accessed category, followed by encrypted tunnel, and ssl. You can also view the list of
    Threat Activity
    Blocked Activity
    sorted on URLs.
    View logs and configure log options:
  • From the ACC, you can jump directly to the logs (
    ) or select
    URL Filtering
    The log action for each entry depends on the Site Access setting you defined for the corresponding category:
    • Alert log
      —In this example, the computer-and-internet-info category is set to alert.
    • Block log
      —In this example, the insufficient-content category is set to continue. If the category had been set to block instead, the log Action would be block-url.
    • Alert log on encrypted website
      —In this example, the category is private-ip-addresses and the application is web-browsing. This log also indicates that the firewall decrypted this traffic.
  • The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined by inline ML-based analyzers.
    • The Inline ML verdict applies to URLs that have been categorized using the locally operated URL Filtering Inline ML on PAN-OS 10.0/10.1.
      The following verdicts are available:
      • Phishing
        —phishing attack content detected by local inline ML.
      • Malicious-javascript
        —malicious javascript content detected by local inline ML.
      • Unknown
        —URL was categorized and content determined to be benign.
    • The Inline Categorization verdict applies to URLs that have been categorized using both the locally operated URL Filtering Inline ML (which was renamed to local Inline Categorization in PAN-OS 10.2) as well as cloud Inline Categorization, operating in the Advanced URL Filtering cloud. The specific type of attack is specified under the category column in the log.
      The following verdicts are available:
      • Local
        —malicious content detected using local inline categorization.
      • Cloud
        —malicious content detected using the cloud inline categorization engine located in the Advanced URL Filtering cloud.
      • N/A
        —URL was not analyzed by the local or cloud inline categorization engines.
  • You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type, and whether or not a packet capture was performed. To modify what columns to display, click the down arrow in any column and select the attribute to display.
  • To view the complete log details and/or request a category change for the given URL that was accessed, click the log details icon in the first column of the log.
  • Generate predefined URL filtering reports on URL categories, URL users, Websites accessed, Blocked categories, and more.
    and under the
    URL Filtering Reports
    section, select one of the reports. The reports cover the 24-hour period of the date you select on the calendar. You can also export the report to PDF, CSV, or XML.

Recommended For You