Advanced URL Filtering
Monitoring Web Activity
Table of Contents
Monitoring Web Activity
Monitor the web activity on your network to understand
the sites your users are accessing and develop web access policies
for your organization.
Where can I use
this? | What do I need? |
|---|---|
|
Notes:
|
You can view various dashboards, reports, and logs to review
and analyze web activity on your network. For example, on PAN-OS
next-generation firewalls, the Application Command Center (ACC),
URL filtering logs and reports show all user web activity for URL
categories that are set to
alert
, block
, continue
,
or override
. By monitoring user activity
with the following tools, you can gain a better understanding of
the web activity of your user base and determine appropriate web
access policy rules.Platform | Ways to View User Web Activity |
|---|---|
PAN-OS/Panorama |
|
Prisma Access |
|
Prisma Access
Regardless of the management interface you’re
using (Panorama or Cloud Management), the Activity pane in Prisma
Access Cloud Management gives you a comprehensive view of what’s
happening in your network. Various dashboards compose
the Activity pane, which is available in the Prisma Access and Device
Insights application. You can also share Activity data with other
users in your organization.
The following interactive dashboards
help you monitor and analyze web activity on your network:
- —A holistic view of all threats that Advanced URL Filtering and other Palo Alto Networks security services detected and blocked in your network. You can view threat trends, impacted applications, users, and Security policy rules that are allowing or blocking threats.
- —Your logs provide an audit trail for system, configuration, and network events. Jump from an Activity dashboard to your logs to get details and investigate findings.
- —See an overview of the applications on your network, including their risk, sanction status, bandwidth consumed, and the top users of these applications.
- Executive Summary (—See which URL categories account for the most web activity in your network, the top 10 malicious URLs, and top 10 high-risk URLs.URL Filtering)
- —See individual users’ browsing patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to access high-risk sites. The data from your URL Filtering logs and the Cloud Identity Engine enable this visibility.
- To access user activity data and share reports easily and securely, we recommend activating and configuring the Cloud Identity Engine.
Additional Visibility
and Methods of Monitoring:
- The Reports pane includes options for scheduling report delivery or downloading and sharing a report at any time for offline viewing.
- You can also Search for a security artifact (an IP address, domain, URL, or file hash) to interact with data just for that artifact, drawn from both your network and global threat intelligence findings.
- Open an Activity dashboard.
- Select .To view the executive summary for URL Filtering, you’ll need to click the URL Filtering tab upon landing on the dashboard.
- To access the Log Viewer, select .
PAN-OS
- For a quick view of the most common categories users access in your environment, check theACCwidgets. MostNetwork Activitywidgets allow you to sort on URLs. For example, in the Application Usage widget, you can see that the networking category is the most accessed category, followed by encrypted tunnel, and ssl. You can also view the list ofThreat ActivityandBlocked Activitysorted on URLs.
View logs and configure log options: - From the ACC, you can jump directly to the logs (
) or select . The log action for each entry depends on the Site Access setting you defined for the corresponding category:- Alert log—In this example, the computer-and-internet-info category is set to alert.
- Block log—In this example, the insufficient-content category is set to continue. If the category had been set to block instead, the log Action would be block-url.
- Alert log on encrypted website—In this example, the category is private-ip-addresses and the application is web-browsing. This log also indicates that the firewall decrypted this traffic.
- The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined by inline ML-based analyzers.
- The Inline ML verdict applies to URLs that have been categorized using the locally operated URL Filtering Inline ML on PAN-OS 10.0/10.1.
The following verdicts are available:- Phishing—phishing attack content detected by local inline ML.
- Malicious-javascript—malicious javascript content detected by local inline ML.
- Unknown—URL was categorized and content determined to be benign.
- The Inline Categorization verdict applies to URLs that have been categorized using both the locally operated URL Filtering Inline ML (which was renamed to local Inline Categorization in PAN-OS 10.2) as well as cloud Inline Categorization, operating in the Advanced URL Filtering cloud. The specific type of attack is specified under the category column in the log.
The following verdicts are available:- Local—malicious content detected using local inline categorization.
- Cloud—malicious content detected using the cloud inline categorization engine located in the Advanced URL Filtering cloud.
- N/A—URL was not analyzed by the local or cloud inline categorization engines.
- You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type, and whether or not a packet capture was performed. To modify what columns to display, click the down arrow in any column and select the attribute to display.
- To view the complete log details and/or request a category change for the given URL that was accessed, click the log details icon in the first column of the log.
- Generate predefined URL filtering reports on URL categories, URL users, Websites accessed, Blocked categories, and more.Select and under theURL Filtering Reportssection, select one of the reports. The reports cover the 24-hour period of the date you select on the calendar. You can also export the report to PDF, CSV, or XML.
