Getting Started: Log forwarding

Getting Started: Log forwarding

Created On 09/25/18 19:03 PM - Last Modified 07/18/19 20:12 PM


What more can my firewall do? Forward log files and reports


In some situations, it might be useful to send logs to a Security Information and Event Management (SIEM) software product, log correlation product, Panorama centralized management, or simply receive an email when a certain event occurs.


On the Palo Alto Networks firewall, Log Forwarding can be enabled for all kinds of events, including security rule hits or system events. SNMP traps or emails can be sent when a rule is hit or an event occurs, and reports can also be forwarded to designated email addresses.


To get started, you first need to create an appropriate server profile: either an SNMP server, Syslog server or Email profile will need to be created.

snmp server profile


In the Sylog server profile, the syslog format and facility can be changed to suit the syslog server configuration.

syslog server profile


In the Email server profile, the display name can be set to a friendly format to appear in the received email.


Pro-Tip: In most cases, we recommend setting the 'from' email address to a domain inside the organization as SMTP servers may be configured to not relay messages from different domains.

email server profile


When the appropriate server profiles have been created, there are several spots where they can be set to start the forwarding.


System log


For system events, as seen in the system log, a server can be assigned per severity. This will allow, for example, all non-informational logs to be forwarded to a syslog server for historical information, high severity events to send out an SNMP trap to an alert server, and critical events to send out an email and send the log to panorama. Simply clicking the severity brings up the configuration window, where you can set the actions to take.


system log forwarding



Security log


Any security rule can have an individual Log Forwarding profile assigned to it. In most scenarios, this means that most, if not all, security logs are forwarded to a Panorama or syslog. Critical threats can generate an SNMP trap or email the security team with a notification.


First, create one or more profiles to match your needs:

log forwarding profile

Pro-Tip: Threat severity Informational will contain URL filtering logs, if you like to export these.



And next, attach the profile to a security rule by adding the Log Forwarding profile in the Actions tab. A new icon will appear in the security policy view to indicate log forwarding has been enabled for this policy.

security rule action




Finally, reports can also be sent out on a daily or weekly basis so an administrator can receive a convenient state of affairs without needing to log on to the firewall.


First, create a report group, which will combine predefined or custom reports into a single output group. All available reports can be selected from the left pane and moved into the group in the right pane.

report group


After the group is created, configure an email scheduler for the report creation and subsequent emailing to the desired administrators.

email scheduler


After the reports are available (some custom reports may require some time to populate a weekly overview if they have only just been created), they will appear in the emailed PDF.



If you liked this article, please check out the whole series at Getting Started: The series and feel free to comment below!




  • Print
  • Copy Link

Choose Language