Palo Alto Networks Knowledgebase: Getting Started: Custom Reports

Getting Started: Custom Reports

12155
Created On 07/18/19 19:27 PM - Last Updated 07/18/19 20:12 PM
Resolution

What more can my firewall do? Custom reports!

 

After configuring the firewall, enabling security policies and profiles, you can sit back and focus on other tasks, knowing that your network is secure. A good way to keep that peace of mind without constantly checking logs and searching for anomalies is to use scheduled reports to keep you posted on everything happening in your network.

 

Take a look at the video, then follow along step-by-step to configure your own custom reports.

 

 

 

Several Pre-Defined Reports are already set up for your convenience; these start creating usable report data the moment the Palo Alto Networks firewall is switched on and put into the network. In case some of these reports are not useful, you can disable and replace them with custom reports.

 

pre-defined reports

 

When you start creating a custom report, one of your first choices is which database to use for your report. You'll notice there are two groups to choose from, Summary and Detailed, each containing similar types of logs. 

 

custom report database

 

The Summary Databases are optimized databases that collect summarized data from the log files every 15 minutes, every hour, every day, and every week, allowing reports to be created quickly. The Detailed Logs allow you to crawl the log files in search of very specific data, but take longer to generate.

 

A difference between the Summary and Detailed URL database, for example, is that the Summary Database can report which categories and domains were accessed x number of times, while the Detailed Log can report exact URLs accessed from a certain source. 

 

For most reports, we recommend using the Summary Databases.

 

After selecting the database to create your report, enable the schedule and set a timeframe. An unscheduled report can  be run only manually, but allows smaller timeframes, while a scheduled report, which generates and stores reports historically, can be configured to automatically email a daily, weekly or monthly report.

 

report schedule

 

If you'd like to take a look at some sample reports, you can Load a Report Template from the predefined reports, which you can then customize. Start by loading the Top Applications template:load report template 

The Selected Columns and Database are automatically loaded from the template, you need only to change the Name and Time Frame.

loaded template

 

 

If you click the Run Now button, a sample report is generated.

example custom report

 

If you head back to the Report Settings, you can add more details to the report by adding the 'Threats' column, changing the 'Sort By' to Threats and gouping the data by Day.

custom report settings

 

If you click the Run Now button again, the report will have a completely different look: the detected threats per application are reported, the data is grouped per day, and sorted from most threats to least.

custom report

 

You can also use the Query Builder to tune the report a little further. If you want to filter out DNS and portmapper from the report, youcan create a filter for application not equal to dns and portmapper.

query builder

 

The report will now no longer contain these applications.

custom report

 

If you go ahead and click OK and Commit, the report will be added to the scheduled reports jobs that run every night and become available in the custom reports viewer:

reports viewer

 

After you've created a few of these reports, you can go ahead and add them into a report group. 

report group

 

The report group can then be added to an Email Scheduler so it is automatically mailed to you and your coworkers.

email scheduler

 

If you haven't created an Email Server Profile before, it should look somewhat like this:

email server profile

 

 

You can send a test email to make sure your configuration is working as expected before committing and waiting for the first report to appear.

email scheduler

 

I hope you found this article useful. Feel free to leave a comment below or check out other episodes in this series.

 

Regards,

Tom



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language