Set Up Remote Search

Remote search enables you to use AutoFocus to find suspicious IP addresses, SHA256 hashes, URLs, user agents, and filenames in a specific Palo Alto Networks firewall or a set of Panorama-managed firewalls. AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a remote search, the firewall or Panorama web interface opens in a new window and displays the search results in Unified log view.
The remote search feature is supported with firewalls running PAN-OS 7.1 or later release versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When you configure your custom system to work with AutoFocus remote search, you can filter log or event repositories with AutoFocus search conditions.
  1. Log in to the firewall or Panorama you want to search with your administrator username and password.
  2. Configure the settings of the remote system.
    Allow HTTP or HTTPS service on the management interface of your firewall or Panorama. Select the service that matches the address of the remote system you want to search.
  3. Add a remote system to search with AutoFocus.
    1. Select Settings on the navigation pane.
    2. Add new remote systems.
    3. Enter a descriptive Name for the remote system.
    4. Select a System Type:
      1. Select PanOS to add a firewall or Panorama.
      2. Select Custom to add a custom system that has been configured to integrate with AutoFocus remote search.
    5. Enter the IP Address or URL of the remote system.
    6. Click Save changes.
    7. Click Save changes on the Settings page to finish adding the remote system. You can add up to 500 remote systems.
      af-remote-system-save.png
  4. Add conditions to a remote search:
    • Add an artifact from a search result.
      1. Perform a search, and view Sample Details.
      2. Add any SHA256 hash, IP address, user agent, filename, or URL contained in a sample to a remote search.
        For example, add a sample hash:
        remote-search-add-hash.png
        or add a domain:
        remote-search-add-domain.png
      3. Click Remote Search to verify that the artifact was added.
    • Click Remote Search to verify that the search condition was added.
    • Create a condition to add to a remote search.
      1. On the search editor, click Remote Search.
      2. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search.
        remote-search.png
  5. (For Panorama Device Group and Template Administrators Only) For Panorama Device Group and Template administrators (not superusers), an AutoFocus remote search targeted to Panorama returns results based on the current Panorama Access Domain setting. Panorama administrators with role-based access control must first open the Panorama web interface, select MonitorLogs and set the Access Domain for which to view search results. Return to the AutoFocus portal to execute your remote search.
  6. Start a remote search.
    1. Click Remote Search.
    2. Review the list of search conditions that you added in Step 4. Add or remove conditions as needed.
    3. Set the remote search to find Any or All of the artifacts on the targeted system.
    4. Select one or more Remote systems to search.
    5. Click Search.
  7. View the search results.
    If no browser tabs open when you launch remote search, change the settings on your browser to allow pop-ups from AutoFocus.
    A new browser tab opens for each remote system.
    • Search results for a firewall or a Panorama are displayed in Unified log view. The list consists of all log entries that contain the artifacts specified in the remote search.
      Panorama search results include log entries from managed firewalls that are not connected to AutoFocus and/or are running PAN-OS 7.0 or earlier.
    • Each custom system opens in a new tab, with the URL formatted to include the conditions specified in the remote search.
      The maximum length for the URL generated through remote search is 1,024 characters. Performing a remote search with multiple search conditions may create a URL that exceeds the character limit. As a best practice, check which conditions were added to the URL after launching a search.
  8. Learn more about working with Unified logs on the firewall.

Related Documentation