Verify Advanced URL Filtering

Verify that advanced URL filtering is analyzing URLs.
Palo Alto Networks recommends setting the real-time-detection action setting to alert for your active URL filtering profiles. This provides visibility into URLs analyzed in real-time and will block (or allow, depending on your policy settings) based on the category settings configured for specific web threats. The action taken on a URL is based on the most severe action for a category that has been detected for a given URL. For example, if example.com is categorized as real-time-detection, command-and-control, and shopping; and the configured actions are alert, block, and allow, respectively, the URL will be blocked because that is considered the most severe action from the detected categories.
  1. Verify that URLs are being analyzed and categorized using the advanced URL Filtering service.
    1. Monitor the activity on the firewall to verify that the above URLs have been properly categorized as real-time-detection.
      1. Select
        Monitor
        Logs
        URL Filtering
        and filter by
        (url_category_list contains real-time-detection)
        to view logs that have been analyzed using advanced URL filtering. Additional web page category matches are also displayed and corresponds to the categories as defined by PAN-DB.
      2. Take a detailed look at the logs to verify that each type of web threat is correctly analyzed and categorized. In the example below, the URL is categorized as having been analyzed in real-time, and, additionally, as possessing qualities that define it as command and control. Because C&C has a more severe action compared to real-time-detection (block as opposed to alert), this URL has been categorized as command and control and has been blocked.

Recommended For You