View Audit Logs on Cloud NGFW for AWS
Focus
Focus
Cloud NGFW for AWS

View Audit Logs on Cloud NGFW for AWS

Table of Contents

View Audit Logs on Cloud NGFW for AWS

Learn about audit logging on Cloud NGFW for AWS.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for AWS
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Account (CSP)
  • AWS Marketplace account
  • User role (either tenant or administrator)
Track administrator activity on Cloud NGFW for AWS to achieve real-time reporting of activity across your deployment. If you have reason to believe that an administrator account is compromised, the audit log provides you with a full history of where an administrator navigated throughout the Cloud NGFW tenant and what configuration changes they made so you can analyze in detail and respond to all actions taken be the compromised account.
If you have already deployed Cloud NGFW for AWS, you may need to update your CFT. If your current CFT does not include the Audit Log field.
  • The log group must be created in the AWS console in the same region where the Cloud NGFW CFT was deployed.
  • For Cloud NGFW tenants created after July 30, 2025 (V2 tenants), audit logging is currently unavailable for certain UI and core firewall management APIs. Actions performed through the firewall list and firewall details pages in the UI (e.g., viewing the list of firewalls), or via the corresponding APIs, will not generate audit log entries.
    Following are the affected firewall management APIs:
    POST /ngfirewalls (create ngfirewall) GET /ngfirewalls (list ngfirewalls) GET /ngfirewalls/{firewall_id} (read ngfirewall) PATCH /ngfirewalls/{firewall_id} (update ngfirewall) DELETE /ngfirewalls/{firewall_id} (delete ngfirewall) POST /ngfirewalls/{firewall_id}/link (associate fw link) DELETE /ngfirewalls/{firewall_id}/link (disassociate fw link) POST /ngfirewalls/{firewall_id}/rulestack (associate rulestack) DELETE /ngfirewalls/{firewall_id}/rulestack (disassociate rulestack) GET /ngfirewalls/{firewall_id}/logprofile (read logprofile) POST /ngfirewalls/{firewall_id}/logprofile (update logprofile)
    The V1 tenants, where audit logging for all APIs continues to function as expected.
When an event occurs, an audit log is generated and forwarded to the CloudWatch log group you specify.
  1. If necessary, update your CFT to add permissions necessary to write to the Audit Log CloudWatch log group.
    1. Log in to the Cloud NGFW console.
    2. Select AWS AccountsDownload CFT to download the CFT as a yaml file.
    3. Upload, edit, and apply your CFT to the AWS console.
      1. Log in to the AWS Console and select CloudFormationStacks.
      2. Locate the Cloud NGFW stack—PaloAltoNetworksCrossAccountRoleSetup.
      3. Select Update.
      4. Select Replace current template and Upload a template file.
      5. Select your CFT yaml file and click Next.
      6. Verify the CFT stack setting and click Next.
      7. Verify the CFT stack options and click Next.
      8. Review the CFT stack and click Update.
  2. Log in to the Cloud NGFW tenant console.
  3. Select Tenant.
  4. Click the Audit Log Settings edit icon
    .
  5. Select the CloudWatch radio button.
  6. Enter the Amazon Resource Name (ARN) of your target CloudWatch Log Group.
    Ensure that the ARN you enter here corresponds with the CloudWatch Log Group you specified in your CFT stack.
  7. Click Save.