Getting Started: Logging
I’ve unpacked my firewall, but where are the logs?
We've gone from a factory default configuration right out of the box to a nice setup with a full-bodied configuration on a fully up-to-date firewall. Now the unit has been passing traffic along for a while, so we'll take a look at what we can learn from the logs and which reports are available.
Check out I've unpacked my firewall, now what?, I've unpacked my firewall and did what you told me, now what? and I've unpacked my firewall and want to configure VLANs — subinterfaces if you haven't seen the previous installments yet or want to take another look at where we left off.
Once the firewall has been passing traffic, you may need to look into traffic logs to verify what kind of traffic your servers are generating, or the threat logs to check that no machines have been infected and attacks are being blocked.
If you navigate to the monitor tab and access the traffic logs from the left pane, you'lll see the logs are neatly ordered from newest to oldest, top to bottom. Each log entry has several values in different columns.
- Receive Time indicates when the log was received in the logdb, if a security policy is set to log at the start of a session, this time will roughly correspond to when the session started, when a security policy is set to log at the end of the session, the receive time will correspond to roughly the time the session ended.
- Type indicates if this is a start of session or end of session log.
- From Zone and To Zone indicate which way the traffic is being initiated, from the SYN packet's perspective.
- Source and Destination indicate the IP addresses that are communicating.
- Source User can be populated if User Identification is enabled—we'll cover this in a later installment.
- To Port shows which destination port is being communicated to.
- Application shows you which Application has been detected by AppID.
- Action shows if a session was allowed or blocked.
- Rule shows which security rule determines what action to take when the session starts.
- Session End Reason indicates why a session ended. Possible reasons can be that an RST packet was received from server or client, the tcp/udp timeout time was reached, a FIN packet was received by client or server, a threat was detected, or a security policy denied the connection.
- Byte indicates how many bytes were transferred during the session, if the log is of the 'end' type.
These columns are merely defaults and several more can be activated or irrelevant ones deactivated. You can even move the columns to a different location or use the 'Adjust Columns' option to automatically resize the columns to fit your screen.
To allow for easier searching through logs, you can add filters as AND/OR operations. Click the plus sign next to the search bar to add filters from a list of available options, or take a look at this article, which has a list of available filters to help you fine tune your queries : Basics of Traffic Monitor Filtering.
You can also zoom in to additional details by clicking the details icon next to every log entry. It is important to note that a single session may create several different log entries. The three main log types on the Palo Alto device are:
- Traffic log, which contains basic connectivity information like IP addresses, ports and applications.
- Threat log, which contains any information of a threat, like a virus or exploit, detected in a certain session.
- URL log, which contains URLs accessed in a session.
So a single session my have several log entries associated with it. The log detail view will correlate these for your convenience:
If we now open the Threat log from the left pane, we will see a slightly different set of columns. In this view:
- Type will have changed to what kind of threat is detected.
- ID is the Palo Alto Networks designation of a certain threat, additional details can be found in the Palo Alto Networks ThreatVault.
- Attacker and Victim show who is sending the detected threat: note that this may be in the opposite direction of the traffic log as a client may initiate an outbound connection to a web server and receive a malicious file from that server, making the destination address in the traffic log the attacker, or source, in the threat log.
- Action taken on this threat could be a reset packet, a silent drop, or a different action depending on what is most appropriate or what is configured in the security profile.
- Severity indicates how dangerous a certain threat is.
If a security profile was configured to perform a packet capture when threats are detected, the packet capture can be retrieved using the download arrow next to the threat log:
If we now move on to the URL log, we'll see yet another view that provides additional details for any web browsing traffic and we can see which URLs and categories have been accessed by users.
The WildFire submissions log is going to provide a list of files that were uploaded to WildFire for analysis, and by default, create a log file for any files found to be malicious.
If you would also like to receive reports on benign files, you can activate this feature through the Device tab, WildFire tab under Setup from the left pane.
The cool thing about WildFire log is that the detail link takes you to the full analysis report, including a downloadable pdf, that shows you all the details about the file and any actions it took upon execution in the sandbox.
For a quick guide to set up WildFire, please take a look at this article on how to enable the free version of WildFire to 'try before you buy.' If you have not yet acquired a WildFire license, you will see that it can be a valuable asset to your arsenal.
Lastly, the data filtering log keeps track of any file uploads or downloads initiated on a security policy that contains a File Blocking profile. The log also indicates if the file was allowed or blocked.
Having all these logs available is great, especially when trying to pinpoint a specific issue or looking into an isolated incident, but having to look through logs to get a feeling of what is happening in the organization may not be efficient. This is why a wide variety of predefined reports are available out of the box and you can create custom reports tailored to your needs.
If you scroll down the left pane to the bottom, you can access the reports. From there you can select a report type from the right pane (go ahead and navigate through them all, they all have pretty interesting details) and select a date at the bottom.
If you'd like to share a report, use the buttons at the bottom to create a pdf, xls, or xml. Please keep in mind the predefined reports all represent a full day and are generated the next day around 2am, so 'today's' report will be available tomorrow morning. Custom reports can provide data for a longer time span.
If you're interested in taking a look at custom reports, we have a cool video tutorial available.
I hope you enjoyed this getting started guide—please feel free to leave comments below.