Verify that advanced URL filtering is analyzing
Palo Alto Networks recommends setting the real-time-detection
action setting to alert for your active URL filtering profiles.
This provides visibility into URLs analyzed in real-time and will
block (or allow, depending on your policy settings) based on the
category settings configured for specific web threats. The action
taken on a URL is based on the most severe action for a category
that has been detected for a given URL. For example, if example.com
is categorized as real-time-detection, command-and-control, and
shopping; and the configured actions are alert, block, and allow,
respectively, the URL will be blocked because that is considered
the most severe action from the detected categories.
Verify that URLs are being analyzed and categorized
using the advanced URL Filtering service.
Access each of the following test URLs to
verify that the advanced URL filtering service is properly categorizing
Monitor the activity on the firewall to verify that
the above URLs have been properly categorized as real-time-detection.
(url_category_list contains real-time-detection)
view logs that have been analyzed using advanced URL filtering.
Additional web page category matches are also displayed and corresponds
to the categories as defined by PAN-DB.
Take a detailed look at the logs to verify that each type
of web threat is correctly analyzed and categorized. In the example
below, the URL is categorized as having been analyzed in real-time,
and, additionally, as possessing qualities that define it as command
and control. Because C&C has a more severe action compared to
real-time-detection (block as opposed to alert), this URL has been
categorized as command and control and has been blocked.