Monitoring Web Activity (

PAN-OS

&

Panorama

)

For a quick view of the most common categories users access in your environment, check the

ACC

widgets. Most

Network Activity

widgets allow you to sort on URLs. For example, in the Application Usage widget, you can see that the networking category is the most accessed category, followed by encrypted tunnel, and ssl. You can also view the list of

Threat Activity

and

Blocked Activity

sorted on URLs.



View logs and configure log options:

From the ACC, you can jump directly to the logs ( ) or select

Monitor

Logs

URL Filtering

.

The log action for each entry depends on the Site Access setting you defined for the corresponding category:

Alert log

—In this example, the computer-and-internet-info category is set to alert.



Block log

—In this example, the insufficient-content category is set to continue. If the category had been set to block instead, the log Action would be block-url.



Alert log on encrypted website

—In this example, the category is private-ip-addresses and the application is web-browsing. This log also indicates that the firewall decrypted this traffic.



The [local] Inline ML verdict (PAN-OS 10.0/10.1) and [local and cloud] Inline Categorization verdict (PAN-OS 10.2 and later) indicate the verdict determined by inline ML-based analyzers.

The Inline ML verdict applies to URLs that have been categorized using the locally operated URL Filtering Inline ML on PAN-OS 10.0/10.1.

The following verdicts are available:
Phishing
—phishing attack content detected by local inline ML.
Malicious-javascript
—malicious javascript content detected by local inline ML.
Unknown
—URL was categorized and content determined to be benign.

The Inline Categorization verdict applies to URLs that have been categorized using both the locally operated URL Filtering Inline ML (which was renamed to local Inline Categorization in PAN-OS 10.2) as well as cloud Inline Categorization, operating in the Advanced URL Filtering cloud. The specific type of attack is specified under the category column in the log.

The following verdicts are available:
Local
—malicious content detected using local inline categorization.
Cloud
—malicious content detected using the cloud inline categorization engine located in the Advanced URL Filtering cloud.
N/A
—URL was not analyzed by the local or cloud inline categorization engines.

You can also add several other columns to your URL Filtering log view, such as: to and from zone, content type, and whether or not a packet capture was performed. To modify what columns to display, click the down arrow in any column and select the attribute to display.



To view the complete log details and/or request a category change for the given URL that was accessed, click the log details icon in the first column of the log.



Generate predefined URL filtering reports on URL categories, URL users, Websites accessed, Blocked categories, and more.

Select

Monitor

Reports

and under the

URL Filtering Reports

section, select one of the reports. The reports cover the 24-hour period of the date you select on the calendar. You can also export the report to PDF, CSV, or XML.