6.11 Ensure that access to every URL is logged

Information

URL filters should not specify any categories as Allow Categories.

Rationale:

Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.

Impact:

Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Objects > Security Profiles > URL Filtering.
For each permitted category, set the Site Access actioun to alert

Default Value:

A default URL Filtering Security Profile is configured, with the following categories set to 'block': abused-drugs adult gambling hacking malware phishing questionable weapons 3 Categories are set to alert in the default policy, and 58 Categories are set to allow (which means they are not logged)

See Also

https://workbench.cisecurity.org/benchmarks/8826

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|6.2, CSCv7|6.3, CSCv7|7.6

Plugin: Palo_Alto

Control ID: f3ddd57229a9cb121e5fb03125a1cff63c1c1210f0da8018d6b62ce9508422a6