Remote Search

You can now use AutoFocus™ to find suspicious IP addresses, SHA256 hashes, URLs, user agents, and filenames in a specific Palo Alto Networks® firewall or a set of Panorama-managed firewalls. AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a remote search, the firewall or Panorama™ web interface opens in a new window and displays the search results in Unified log view.
The remote search feature is only supported in firewalls running PAN-OS® 7.1 or later release versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When you configure your custom system to work with AutoFocus remote search, you can filter log or event repositories with AutoFocus search conditions.
  1. Log in to the firewall or Panorama you want to search with your administrator username and password.
  2. Configure the settings of the remote system.
    Allow
    HTTP
    or
    HTTPS
    service on the management interface of your firewall or Panorama. Select the service that matches the address of the remote system you want to search.
  3. Add a remote system to search with AutoFocus.
    1. Select
      Settings
      on the navigation pane.
    2. Add new
      remote systems.
    3. Enter a descriptive
      Name
      for the remote system.
      af-remote-system-add.png
    4. Select a System Type:
      1. Select
        PanOS
        to add a firewall or Panorama.
      2. Select
        Custom
        to add a custom system that has been configured to integrate with AutoFocus remote search.
    5. Enter the IP
      Address
      or URL of the remote system.
    6. Save changes
      .
    7. Save changes
      again to finish adding the remote system. You can add up to ten remote systems.
      af-remote-system-save.png
  4. (
    For Panorama Device Group and Template Administrators Only
    ) For Panorama Device Group and Template administrators (not superusers), an AutoFocus remote search targeted to Panorama returns results based on the current Panorama
    Access Domain
    setting. Panorama administrators with role-based access control must first open the Panorama web interface, select
    Monitor
    Logs
    and set the
    Access Domain
    for which to view search results. Return to the AutoFocus portal to execute your remote search.
  5. Start a remote search.
    1. Select
      Search
      on the navigation pane.
    2. Click
      Remote Search
      .
      7.1-nfg-af-remote-search.png
    3. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search.
      remote-search.png
      You can add artifacts from the results of an existing search to the remote search. Open
      Remote Search
      again to verify that the artifact was added as a search condition.
      remote-search-add-hash.png
    4. Set the remote search to find
      Any
      or
      All
      of the artifacts on the targeted system.
    5. Select one or more
      Remote systems to search
      .
    6. Click
      Search
      .
  6. View the search results. A new browser tab opens for each remote system.
    If no browser tabs open when you launch remote search, change the settings on your browser to allow pop-ups from AutoFocus.
    The Unified log displays all log entries that contain the artifacts added to the remote search.
    remote-search-spotlight.png
    If the remote search is for Panorama, the Unified log displays log entries from all managed firewalls, including those that are running PAN-OS 7.0 and earlier release versions.
    If the remote search is for a custom system, the custom system opens in a new tab, with the URL formatted to include the conditions specified in the remote search.
  7. Next steps:

Recommended For You