What more can my firewall do? Forward log files and reports—
In some situations, it might be useful to send logs to a Security Information and Event Management (SIEM) software product, log correlation product, Panorama centralized management, or simply receive an email when a certain event occurs.
On the Palo Alto Networks firewall, Log Forwarding can be enabled for all kinds of events, including security rule hits or system events. SNMP traps or emails can be sent when a rule is hit or an event occurs, and reports can also be forwarded to designated email addresses.
To get started, you first need to create an appropriate server profile: either an SNMP server, Syslog server or Email profile will need to be created.
In the Sylog server profile, the syslog format and facility can be changed to suit the syslog server configuration.
In the Email server profile, the display name can be set to a friendly format to appear in the received email.
Pro-Tip: In most cases, we recommend setting the 'from' email address to a domain inside the organization as SMTP servers may be configured to not relay messages from different domains.
When the appropriate server profiles have been created, there are several spots where they can be set to start the forwarding.
For system events, as seen in the system log, a server can be assigned per severity. This will allow, for example, all non-informational logs to be forwarded to a syslog server for historical information, high severity events to send out an SNMP trap to an alert server, and critical events to send out an email and send the log to panorama. Simply clicking the severity brings up the configuration window, where you can set the actions to take.
Any security rule can have an individual Log Forwarding profile assigned to it. In most scenarios, this means that most, if not all, security logs are forwarded to a Panorama or syslog. Critical threats can generate an SNMP trap or email the security team with a notification.
First, create one or more profiles to match your needs:
Pro-Tip: Threat severity Informational will contain URL filtering logs, if you like to export these.
And next, attach the profile to a security rule by adding the Log Forwarding profile in the Actions tab. A new icon will appear in the security policy view to indicate log forwarding has been enabled for this policy.
Finally, reports can also be sent out on a daily or weekly basis so an administrator can receive a convenient state of affairs without needing to log on to the firewall.
First, create a report group, which will combine predefined or custom reports into a single output group. All available reports can be selected from the left pane and moved into the group in the right pane.
After the group is created, configure an email scheduler for the report creation and subsequent emailing to the desired administrators.
After the reports are available (some custom reports may require some time to populate a weekly overview if they have only just been created), they will appear in the emailed PDF.
If you liked this article, please check out the whole series at Getting Started: The series and feel free to comment below!