6.11 Ensure that access to every URL is logged

Information

URL filters should not specify any categories as Allow Categories.
Rationale:
Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Objects > Security Profiles > URL Filtering.
Set the Allow Categories column so that it is blank.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.
Default Value:
A default URL Filtering Security Profile is configured, with the following categories set to "block": abused-drugs adult gambling hacking malware phishing questionable weapons

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|7.4, CSCv7|7.6

Plugin: Palo_Alto

Control ID: 1eb691112223bd4d324af339c67eb09ed25102bdeafab5b1e75f45ad915b7549