Configure Logging for Cloud NGFW on AWS
A log is an automatically generated, time-stamped
file that provides an audit trail for system events on the firewall
or network traffic events that the firewall monitors. Log entries
contain artifacts, which are properties, activities, or behaviors
associated with the logged event, such as the application type or
the IP address of an attacker. Each log type records information
for a separate event type. For example, the firewall generates a
Threat log to record traffic that matches a spyware, vulnerability,
or virus signature or a DoS attack that matches the thresholds configured
for a port scan or host sweep activity on the firewall.
The
Cloud NGFW can send traffic, threat, and decryption logs to an S3
Bucket, CloudWatch Log Group, or Kinesis Data Firehose. The names of
these log destinations must be included in the Cloud NGFW CloudFormation
template that is launched when you add your Tenet Admin AWS Account
to the Cloud NGFW. The CloudWatch Log Group and Kinesis Data Firehose
have a default value of
PaloAltoCloudNGFW
in the
CFT. The S3 Bucket has no default. The Cloud NGFW does not create
these resources in your AWS environment. The CFT gives the Cloud NGFW
the permissions to write the logs to the destination. A destination
with name you provided in the CFT must exist in your deployment to
successfully capture NGFW logs. Log Types
Cloud NGFW can capture and save three types
of logs.
- Traffic—Traffic logs display an entry for the start and end of each session. See Cloud NGFW for AWS Traffic Log Fields for more information.
- Threat—Threat logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall. Each entry includes the following information: date and time; type of threat (such as virus or spyware); threat description or URL (Name column); alarm action (such as allow or block); and severity level.See Cloud NGFW for AWS Threat Log Fields for more information.SeverityDescriptionCriticalSerious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims and the target does not need to be manipulated into performing any special functions.HighThreats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.MediumMinor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.LowWarning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage.InformationalSuspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist. URL Filtering log entries are logged as Informational. Log entries with any verdict and an action set to block are logged as Informational.
- Decryption—Decryption logs display entries for unsuccessful TLS handshakes by default and can display entries for successful TLS handshakes if you enable them in Decryption policy. If you enable entries for successful handshakes, ensure that you have the system resources (log space) for the logs. See Cloud NGFW for AWS Decryption Log Fields for more information.
Log Destination
You have three choices of destination for
your Cloud NGFW logs. These destinations all reside outside of the
Cloud NGFW service but within your AWS account—S3 bucket, Cloudwatch
log group, or Kinesis data firehose. Each log file is generated
as a JSON file.
When you Subscribe to Cloud NGFW for AWS, you are asked
to set up your AWS CloudFormation template stack. The stack prepopulates the
logging destinations for CloudWatch log group and Kinesis Data Firehose
delivery stream with a destination called
PaloAltoCloudNGFW
. The
S3 Bucket field is not prepopulated. If you want to send the logs
to a different destination, you must create that destination and
replace the default value the name before you complete stack creation.If
you send the logs to a CloudWatch log group, you can view the log
entries directly in the AWS CloudWatch console. In the CloudWatch log
group you specify when configuring logging, you will see a list
of log streams. The log stream name is displayed as:
/<aws-account-id>/<region>/<NGFW-name>/<random-string>/<log-type>.<year>.<month>.<day>.<hour>
For
example /account123/us-west-1/firewall-1/qadd232312345dea/TRAFFIC.2022.02.10.23
The
<random string> refers to the individual NGFW resource that generated
the log.
You can click on the stream name to view log
entries, which are displayed as shown in the following example.
If
you send the logs to an S3 bucket, the log files are saved as a
JSON file. The NGFW sends a new log file when one of the following
criteria is met—the firewall has generated 256MB of logs or 10 minutes
have elapsed since the last log file was generated. To locate the
files in the S3 bucket you specify, access the S3 console in AWS
and find the bucket you specified. Then select . S3
bucket log file names adhere to the following format:
<aws-account-id>-<region>-<NGFW-name>-<log-type>-<year>-<month>-<day>-<hour>-<random-string>
The
<random string> refers to the individual NGFW resource that generated
the log.
You can then download the file and use a JSON
reader to view the logs in a more readable format. In addition to
the log information, each log entry also contains a header that
records the date, priority, time, firewall hostname, log type, year,
month, day, hour, minute, and second.
If
you send log files to a Kinesis Firehose, logs are sent to the stream
name that you specify and then to the final destination; such as
an S3 Bucket, Datadog, or Splunk. The source for your Kinesis firehose
must be
Direct PUT or other sources
. In addition to the log
information, each log entry also contains a header that records
the date, priority, time, firewall hostname, log type, year, month,
day, hour, minute, second, region, firewall name, and AWS account
ID. The NGFW adds the region, firewall name, and AWS account ID
to the logs to help identify where the log was generated because
this information is not included in the log file name. You can then
download the JSON file for viewing. The times and dates
recorded in log entries and log file names are displayed in UTC
time. However, the log dates displayed in the AWS console are displayed
in your local time and date.
- From the Cloud NGFW console, selectNGFWsand select the firewall on which to configure logging.
- SelectLog Settings.
- UnderLog Type, select one or more option log type to be captured.You have the option to send all logs to the same destination or choose a different destination for each log type.
- Select theLog Destination. If you are selecting more than one log type, you must select the destination individually for each log type.
- Enter theLog Destinationname. The log destination name must
- ClickSave.
