Monitor the web activity on your network to understand
the sites your users are accessing and develop web access policies
for your organization.
Where can I use
this?
What do I need?
Prisma Access
PAN-OS
Advanced URL Filtering license (or a legacy URL filtering
license)
Notes:
Legacy URL filtering licenses are discontinued, but
active legacy licenses are still supported.
Prisma Access licenses usually include Advanced URL
Filtering capabilities.
You can view various dashboards, reports, and logs to review
and analyze web activity on your network. For example, on PAN-OS
next-generation firewalls, the Application Command Center (ACC),
URL filtering logs and reports show all user web activity for URL
categories that are set to
alert
,
block
,
continue
,
or
override
. By monitoring user activity
with the following tools, you can gain a better understanding of
the web activity of your user base and determine appropriate web
access policy rules.
Regardless of the management interface you’re
using (Panorama or Cloud Management), the Activity pane in Prisma
Access Cloud Management gives you a comprehensive view of what’s
happening in your network. Various dashboards compose
the Activity pane, which is available in the Prisma Access and Device
Insights application. You can also share Activity data with other
users in your organization.
The following interactive dashboards
help you monitor and analyze web activity on your network:
—A
holistic view of all threats that Advanced URL Filtering and other
Palo Alto Networks security services detected and blocked in your
network. You can view threat trends, impacted applications, users,
and Security policy rules that are allowing or blocking threats.
—Your logs
provide an audit trail for system, configuration, and network events.
Jump from an Activity dashboard to your logs to get details and
investigate findings.
—See
an overview of the applications on your network, including their
risk, sanction status, bandwidth consumed, and the top users of
these applications.
—See
individual users’ browsing patterns: their most frequently visited
sites, the sites with which they’re transferring data, and attempts
to access high-risk sites. The data from your URL Filtering logs
and the Cloud Identity Engine enable this visibility.
The Reports pane includes
options for scheduling report delivery or downloading and sharing
a report at any time for offline viewing.
You can also Search for a security
artifact (an IP address, domain, URL, or file hash) to interact
with data just for that artifact, drawn from both your network and
global threat intelligence findings.
For a quick view of the most
common categories users access in your environment, check the
ACC
widgets.
Most
Network Activity
widgets allow you to
sort on URLs. For example, in the Application Usage widget, you
can see that the networking category is the most accessed category, followed
by encrypted tunnel, and ssl. You can also view the list of
Threat
Activity
and
Blocked Activity
sorted
on URLs.
View
logs and configure log options:
From the ACC, you can jump directly to the logs (
) or select
Monitor
Logs
URL Filtering
.
The log action for each entry depends on the Site Access
setting you defined for the corresponding category:
Alert
log
—In this example, the computer-and-internet-info category
is set to alert.
Block log
—In this example, the insufficient-content
category is set to continue. If the category had been set to block
instead, the log Action would be block-url.
Alert log on encrypted website
—In this example, the category
is private-ip-addresses and the application is web-browsing. This
log also indicates that the firewall decrypted this traffic.
The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline
Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined
by inline ML-based analyzers.
The Inline ML verdict applies to URLs that have been categorized
using the locally operated URL Filtering Inline ML on PAN-OS
10.0/10.1.
The following verdicts are available:
Phishing
—phishing attack content detected by local
inline ML.
Malicious-javascript
—malicious javascript content
detected by local inline ML.
Unknown
—URL was categorized and content determined to
be benign.
The Inline Categorization verdict applies to URLs that have been
categorized using both the locally operated URL Filtering Inline ML
(which was renamed to local Inline Categorization in PAN-OS 10.2) as
well as cloud Inline Categorization, operating in the Advanced URL
Filtering cloud. The specific type of attack is specified under the
category column in the log.
The following verdicts are available:
Local
—malicious content detected using local inline
categorization.
Cloud
—malicious content detected using the cloud
inline categorization engine located in the Advanced URL
Filtering cloud.
N/A
—URL was not analyzed by the local or cloud inline
categorization engines.
You can also add several other columns to your URL Filtering
log view, such as: to and from zone, content type, and whether or
not a packet capture was performed. To modify what columns to display,
click the down arrow in any column and select the attribute to display.
To view the complete log details and/or request a category change
for the given URL that was accessed, click the log details icon
in the first column of the log.
Generate predefined URL filtering reports on URL categories,
URL users, Websites accessed, Blocked categories, and more.
Select
Monitor
Reports
and
under the
URL Filtering Reports
section,
select one of the reports. The reports cover the 24-hour period
of the date you select on the calendar. You can also export the
report to PDF, CSV, or XML.