What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize them.
The Palo Alto Networks next-generation firewall creates some logs by default, while you need to configure logging for other traffic. The best practice is to log all data center traffic and monitor the logs for unexpected applications, users, traffic, and behaviors.
By default, the firewall logs traffic that matches explicitly configured Security policy rules and does not log traffic that matches the predefined intrazone-default (allows traffic with a source and destination in the same zone) and interzone-default (the last rule in the rulebase, which denies traffic that matches no preceding rules) rules at the bottom of the rulebase.
When you create a Security policy rule and the firewall logs its traffic by default, the firewall logs the traffic at the end of the session:
The best practice for most traffic is to
Log at Session Endbecause applications often change throughout the lifespan of a session. For example, the initial App-ID for a session may be web-browsing, but after the firewall processes a few packets, the firewall may find a more specific App-ID for the application and change the App-ID. There are several use cases for logging traffic at the start of a session, including DNS sinkholing, long-lived tunnel sessions, and when you need information from the start of the session for troubleshooting.
Logging the traffic records information about traffic that a rule allows and traffic that a rule denies or drops (rule violations), so the firewall provides valuable information regardless of how the it treats the traffic. Rule violations highlight potential attacks or whitelist rules that need to be adjusted to allow a legitimate business application.
When you examine blocked traffic in logs, differentiate between traffic that the firewall blocked as a protective event before any systems have been compromised, such as blocking an application that isn’t whitelisted, and traffic that the firewall blocked as a post-compromise event, for example, an attempt by malware that is already on a data center server to contact an external server to download more malware or exfiltrate data.
The firewall provides a wealth of monitoring tools, logs, and log reports with which to analyze your network:
- provides traffic, threat, User-ID, and many other log types, includingMonitorLogsUnifiedlogs, which show multiple log types on one screen so you don’t have to look at different types of logs separately. When a magnifying glass icon is part of the summary, you can click it to drill down into the log entry.
- provides predefined reports that you can view and the ability to create report groups composed of predefined and custom reports. For example, you can review traffic activity or take baseline measurements to understand the bandwidth usage and traffic flow in each data center segment by zone or interface.MonitorPDF Reports
- provides the ability to create customized reports so that you can view information about block rules, allow rules, or any other subject of interest.MonitorManage Custom Reports
- enables you to take packet captures of traffic that traverses the firewall’s management interface and network interfaces.MonitorPacket Capture
- The Application Command Center (ACC) provides widgets that display an interactive, graphical summary of the applications, users, URLs, threats, and content traversing the network. For example, you can review and evaluate the applications on the network () to see if there are any changes in the application or if the application exhibits threat behaviors. If you see unexpected applications in the list, evaluate how to handle those applications.ACCNetwork ActivityApplication UsageThreatsAnother good way to use ACC information is to help identify compromised user accounts and host systems. Analyze threats along with the usernames associated with the threats using thewidget and then use the threat logs to isolate the exact issue.ACCNetwork ActivityUser ActivityThreats
- The Dashboard (Dashboard) provides widgets that display general firewall information and up to 10 of the most recent entries in the threat, configuration, and system logs.
Monitoring To forestall potential issues and to accelerate incidence response when needed, the firewall provides intelligence about traffic and user patterns using customizable and informative ...
Use the Application Command Center
Use the Application Command Center The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your ...
Use Panorama for Visibility
Use Panorama for Visibility In addition to its central deployment and firewall configuration features, Panorama also allows you to monitor and report on all traffic ...
Log and Monitor Data Center Traffic
Use logging and monitoring tools to find out which applications are in use, how they behave, and who is really on your data center network ...
Monitor the Network with the ACC and AppScope
Monitor the Network with the ACC and AppScope Both the ACC and the AppScope allow you to monitor and report on the data recorded from ...
ACC Tabs Network Activity —Displays an overview of traffic and user activity on your network. It focuses on the top applications being used, the top ...
ACC The Application Command Center (ACC) is an analytical tool that provides actionable intelligence about the activity within your network. The ACC uses the firewall ...
App Scope Overview
App Scope Overview The App Scope reports provide graphical visibility into the following aspects of your network: Changes in application usage and user activity Users ...
How Do I Deploy a Data Center Best Practice Security Policy
Learn how to create and implement a best practice data center security policy that protects your most valuable assets. ...