Palo Alto Networks Knowledgebase: Getting Started: Log forwarding

Getting Started: Log forwarding

4308
Created On 07/18/19 19:27 PM - Last Updated 07/18/19 20:12 PM
Resolution

What more can my firewall do? Forward log files and reports

 

In some situations, it might be useful to send logs to a Security Information and Event Management (SIEM) software product, log correlation product, Panorama centralized management, or simply receive an email when a certain event occurs.

 

On the Palo Alto Networks firewall, Log Forwarding can be enabled for all kinds of events, including security rule hits or system events. SNMP traps or emails can be sent when a rule is hit or an event occurs, and reports can also be forwarded to designated email addresses.

 

To get started, you first need to create an appropriate server profile: either an SNMP server, Syslog server or Email profile will need to be created.

snmp server profile

 

In the Sylog server profile, the syslog format and facility can be changed to suit the syslog server configuration.

syslog server profile

 

In the Email server profile, the display name can be set to a friendly format to appear in the received email.

 

Pro-Tip: In most cases, we recommend setting the 'from' email address to a domain inside the organization as SMTP servers may be configured to not relay messages from different domains.

email server profile

 

When the appropriate server profiles have been created, there are several spots where they can be set to start the forwarding.

 

System log

 

For system events, as seen in the system log, a server can be assigned per severity. This will allow, for example, all non-informational logs to be forwarded to a syslog server for historical information, high severity events to send out an SNMP trap to an alert server, and critical events to send out an email and send the log to panorama. Simply clicking the severity brings up the configuration window, where you can set the actions to take.

 

system log forwarding

 

 

Security log

 

Any security rule can have an individual Log Forwarding profile assigned to it. In most scenarios, this means that most, if not all, security logs are forwarded to a Panorama or syslog. Critical threats can generate an SNMP trap or email the security team with a notification.

 

First, create one or more profiles to match your needs:

log forwarding profile

Pro-Tip: Threat severity Informational will contain URL filtering logs, if you like to export these.

 

 

And next, attach the profile to a security rule by adding the Log Forwarding profile in the Actions tab. A new icon will appear in the security policy view to indicate log forwarding has been enabled for this policy.

security rule action

 

Reports

 

Finally, reports can also be sent out on a daily or weekly basis so an administrator can receive a convenient state of affairs without needing to log on to the firewall.

 

First, create a report group, which will combine predefined or custom reports into a single output group. All available reports can be selected from the left pane and moved into the group in the right pane.

report group

 

After the group is created, configure an email scheduler for the report creation and subsequent emailing to the desired administrators.

email scheduler

 

After the reports are available (some custom reports may require some time to populate a weekly overview if they have only just been created), they will appear in the emailed PDF.

 

 

If you liked this article, please check out the whole series at Getting Started: The series and feel free to comment below!

 

Regards,

Tom



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTrCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language