Selective log forwarding for WildFire logs from Firewall using log forwarding profile
14170
Created On 08/22/20 15:49 PM - Last Modified 01/08/21 17:56 PM
Objective
When a firewall is configured to send an email notification for WildFire submissions, sometimes these emails can be overwhelming for an administrator. In this case, IT admins may like to suppress some of the email alerts while continuing to receive other logs. For example, an IT admin may prefer to receive all the WildFire alerts except WildFire email-link alerts.
This example can be used for any kind of selective log forwarding, such as you only need threat logs for drop action and all other logs to be forwarded to the panorama.
Environment
- All PAN-OS
- WildFire license
Procedure
In this article, we have used the WildFire log and email-link example, however, the same method can be used for any log selection.
1.Create a log forwarding profile.
2.Go to objects->Log forwarding ->create a new profile, and fill the name such as "Partial-email-forwarding"
3.Now click the "Add" button at the left bottom->fill in the name. In the following pic, the name is "email-links", select the "Log Type" as "wildfire', and on Filter select "Filter Builder"
3. Skip selecting any "forward method" for this filter.
4.Now add additional profiles for log-forwarding based on your requirement.
5.If you have not created an email profile, please create one. More information can be found here.
6. Select the desired type of logs, and add the email log forwarding profile.
7.For allowing all other logs from WildFire, except the email-link, create a new profile with the negative condition of the previous one. For example, select Filter->not((app eq SMTP) and (filetype eq email-link) ) and select on Forwarding method on email-profile.