If you cannot see URL filtering logs in Panorama, even though you believe the traffic should be logged, there could be several reasons. You can troubleshoot this using CLI and Web UI on Panorama and the firewall (FW).
Here’s a step-by-step approach:Step 1: Check Security Policy Rule on the Firewall
Issue: Logs won’t appear if logging is not enabled on the rule.
CLI Command (on FW):
show running security-policy
Make sure:
Logging is enabled at start and/or end of the session.
The action is set to allow or deny (depending on your expectation).
The rule is set to log at session end (usually the best for URL filtering visibility).
You can verify a specific rule:
show running security-policy rule <rule-name>
Look for:
log-start no
log-end yes
Step 2: Verify URL Filtering Profile Is Applied
Check if the rule has a URL filtering profile applied.
CLI Command:
show config running | match "url-filtering"
Or to trace a specific security rule:
show config running | match <security-rule-name>
Step 3: Check Logs in the Firewall (Not Panorama)
Sometimes logs don't make it to Panorama (due to log forwarding config or issues).
CLI Command (on FW):
show log url direction equal backward
You can add filters:
show log url direction equal backward url contains "example.com"
If logs are visible on the firewall, but not on Panorama, proceed below.
Step 4: Check Log Forwarding from FW to Panorama
Log forwarding must be configured on the firewall to send logs to Panorama.
CLI Check:
show logging-status
Look for:
Panorama status: connected
Log forwarding status: enabled
Queues: should not be full/stuck
Also:
show system logdb-quota
This will show you if enough quota is assigned for URL logs.
Step 5: Check Panorama Log Collector (if Dedicated)
If using Dedicated Log Collectors, check that the log collector is connected and receiving logs.
On Panorama CLI:
show log-collector status
And:
show log-collector preference-list
Step 6: Use debug or Real-Time Log Monitoring
You can tail the logs in real time.
On Firewall:
tail follow yes mp-log urlfiltering.log
Or:
less mp-log urlfiltering.log
On Panorama (for management logs only):
tail follow yes mp-log ms.log
Step 7: Use ACC or Custom Report (as alternative)
Sometimes URL logs don’t show in Monitor > Logs > URL Filtering, but ACC or Custom Reports will reveal them.
Step 8: Ensure Threat License Is Active
URL Filtering requires a valid Threat Prevention license. Check:
show license
Summary of Key CLI Commands
On Firewall:
show log url direction equal backward
show running security-policy
show config running | match url-filtering
show logging-status
tail follow yes mp-log urlfiltering.log
show system logdb-quota
On Panorama:
show log-collector status
show log-collector preference-list
tail follow yes mp-log ms.log
No comments:
Post a Comment