6.11 Ensure that access to every URL is logged

Information

URL filters should not specify any categories as Allow Categories.
Rationale:
Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Objects > Security Profiles > URL Filtering.
Set the Allow Categories column so that it is blank.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(2), CSCv6|7.4

Plugin: Palo_Alto

Control ID: 0d4302885670a6418713f510fac3667df203f158f042be2e2e56297e395e178e