Logging
Output 10: Example URL filtering log message for a dropped URL request
2016 Nov 17 02:02:21 local5.info awplus IPS[2039]: [Drop] URLFILTER: URL:http:/
kdskspb.ru/ [http] 192.168.1.1:58272 -> 172.16.1.2:80
Output 11: Example URL filtering log message for a permitted URL request when log url-requests is
configured
2017 Apr 12 03:47:21 local5.info awplus IPS[3885]: [Http] URL:http://172.16.1.2/
192.168.1.1:53698 -> 172.16.1.2:80
By default, URL filtering only logs dropped requests. However, from 5.4.7-1.x, you can turn on
additional URL request logging to log all URL requests, including permitted requests. Use the
following commands:
awplus(config)#
awplus(config-url-filter)#
Note: This is supported in all AR-Series firewalls.
By default, URL filtering messages are generated when there are:
Blacklist and whitelist hits—logged at severity info (6) level.
Invalid match criteria, detected while loading third party and custom blacklist and whitelist files—
logged at err (3) level.
Missing configured custom blacklist and/or whitelist files, while starting/restarting the feature—
logged at warning (4) level.
Log messages for blacklist or whitelist hits include information in the following format:
<action> URLFILTER: [URL:<url>] <protocol> <source-ip>:<source-port> ->
<dest-ip>:<dest-port>
Table 9: URL Filtering log message elements
Message element
<action>
<url>
<protocol>
<source-ip>:<source-port>
<dest-ip>:<dest-port>
C613-22104-00 REV B
url-filter
log url-requests
Description
Which action is applied; [ALERT], [DROP] or [http].
The requested URL if the flow is HTTP.
The protocol e.g., SMTP, HTTP, TCP, ICMP.
The source IP address and source port for the packet.
The destination IP address and source port for the packet.
Advanced Network Protection
URL Filtering Log Messages
|
Page 70