Tutorial: Filtered Log Forwarding
Resolution
Hi everyone this is Kim from the Palo Alto Networks community team bringing you a new Palo Alto Networks video tutorial.
In todays video I will go over a feature that isn’t exactly new but was enhanced considerably by popular demand.
Log forwarding has been around on our firewalls since forever. However the feature had its limitations.
Lets say for example that you want to forward particular logs to start troubleshooting a specific issue. Prior to PAN-OS 8 you had to choose a collection of logs by severity or type rather than the set of logs you are actually interested in. This isn’t granular at all and most of the time you’ll end up with a flood of unwanted logs that you still have to filter through manually.
In response to that limitation this enhancement will allow you to use user defined filters for log forwarding purposes.
Let’s move forward to our firewalls and I’ll show you exactly what it used to look like as opposed to how we improved it in PAN-OS 8.0.
As you can see right here I’ve logged into my firewall which is currently running PAN-OS version 7.1.3.
Let’s go check what log forwarding looks like. Just click the Objects tab and on the bottom left side you will find ‘Log Forwarding’.
There’s already a profile configured but for the sake of this video lets quickly add a new one to see what exactly we can do here. Just click the add button and give your profile a name. Now notice there’s not much more you can do aside from choosing how you want to forward (to panorama, send an SNMP trap, send out an email or send to a syslog server) …and also for what severity you want to forward. Aside from that it’s not very granular. Just click OK to confirm the config.
Similarly, you have the log settings feature on the device tab. Here you can configure system logs, config logs and HIP match logs. But notice how it’s not granular at all. Aside from deciding on the severity in the system logs there’s nothing more you can do here.
Once you’re done setting this up you can go ahead and commit this and that’s basically it.
Now lets compare this to a firewall that has PAN-OS 8.0 configured
Notice that I’m currently logged into another firewall running PAN-OS 8.0. Just like on the previous device lets goto the objects tab > Log Forwarding. Notice there are some profiles configured already but I’ll just add a new one for the sake of this video.
Notice how this window already looks different from the previous version.
Click the add button again to enter the Log Forwarding Profile Match list.
Here you can name your match list. Select the type of logs to which this match list profile applies to. Notice there’s a bigger selection possible as opposed to the previous version : traffic, threat, WildFire, URL, data, tunnel, or authentication (auth).
By default, the firewall forwards ALL logs of the selected Log Type. To forward a subset of the logs, select an existing filter from the drop-down or select Filter Builder to add a new filter. For each query in a new filter, specify the following fields and Add the query:
In the create filter tab you can create a filter and the logs matching any of the listed criteria will be forwarded accordingly. Use the ‘View Filtered Logs’ tab to verify which logs exactly will be forwarded.
It can be challenging to create your own filter but you can work backwards and have the firewall create a filter for you.
Without a configured filter you can go to the 'View Filtered Logs' view and you will have an unfiltered view. From here you can make any selection and the firewall will create a filter for you in response to that. Notice how the firewall creates a filter for me when I make any selection in the 'View Filtered Logs' tab. CLick OK and all that remains to be done is select your Forward method. Once you do that you can click the OK button and you can confirm if the Log Forwarding Profile looks fine and you can click the OK button once more.
With this your log forwarding profile is created.
Similarly you have the log settings feature on the device tab. Here you can configure system logs, config logs, UserID, Correlation and HIP match logs (User-ID and Correlation are new in PAN-OS 8.0). See now how we added the same granularity here.
Check out Configuration logs. Click add and give it a name. Let add a filter builder and work backwards. For example I want all the logs where the administrator is NOT admin. Let's negate admin and confirm this is pretty much what we were looking for. Let's forward that to Panorama and click OK. If you're happy with this config you can move forward and commit the change.
This concludes this video on Filtered Log Forwarding. As always feel free to add comments to the comments section below or reach out to us in the Live Community Discussions Forum.
Cheers !
-Kim.