Download PDF
Cloud NGFW for AWS
View Audit Logs on Cloud NGFW for AWS
Table of Contents
Expand All
|
Collapse All
Cloud NGFW for AWS Docs
View Audit Logs on Cloud NGFW for AWS
Learn about audit logging on Cloud NGFW for AWS.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Track administrator activity on Cloud NGFW for AWS to achieve real-time reporting of
activity across your deployment. If you have reason to believe that an administrator
account is compromised, the audit log provides you with a full history of where an
administrator navigated throughout the Cloud NGFW tenant and what configuration
changes they made so you can analyze in detail and respond to all actions taken be
the compromised account.
If you have already deployed Cloud NGFW for AWS, you may need to update your CFT. If
your current CFT does not include the Audit Log field.
- The log group must be created in the AWS console in the same region where the Cloud NGFW CFT was deployed.
- For Cloud NGFW tenants created after July 30, 2025 (V2 tenants), audit logging is currently unavailable for certain UI and core firewall management APIs. Actions performed through the firewall list and firewall details pages in the UI (e.g., viewing the list of firewalls), or via the corresponding APIs, will not generate audit log entries.Following are the affected firewall management APIs:The V1 tenants, where audit logging for all APIs continues to function as expected.POST /ngfirewalls (create ngfirewall) GET /ngfirewalls (list ngfirewalls) GET /ngfirewalls/{firewall_id} (read ngfirewall) PATCH /ngfirewalls/{firewall_id} (update ngfirewall) DELETE /ngfirewalls/{firewall_id} (delete ngfirewall) POST /ngfirewalls/{firewall_id}/link (associate fw link) DELETE /ngfirewalls/{firewall_id}/link (disassociate fw link) POST /ngfirewalls/{firewall_id}/rulestack (associate rulestack) DELETE /ngfirewalls/{firewall_id}/rulestack (disassociate rulestack) GET /ngfirewalls/{firewall_id}/logprofile (read logprofile) POST /ngfirewalls/{firewall_id}/logprofile (update logprofile)
When an event occurs, an audit log is generated and forwarded to the CloudWatch log
group you specify.
- If necessary, update your CFT to add permissions necessary to write to the Audit Log CloudWatch log group.
- Log in to the Cloud NGFW console.Select AWS AccountsDownload CFT to download the CFT as a yaml file.Upload, edit, and apply your CFT to the AWS console.
- Log in to the AWS Console and select CloudFormationStacks.
- Locate the Cloud NGFW stack—PaloAltoNetworksCrossAccountRoleSetup.
- Select Update.
- Select Replace current template and Upload a template file.
- Select your CFT yaml file and click Next.
- Verify the CFT stack setting and click Next.
- Verify the CFT stack options and click Next.
- Review the CFT stack and click Update.
Log in to the Cloud NGFW tenant console.Select Tenant.Click the Audit Log Settings edit iconSelect the CloudWatch radio button.Enter the Amazon Resource Name (ARN) of your target CloudWatch Log Group.Ensure that the ARN you enter here corresponds with the CloudWatch Log Group you specified in your CFT stack.Click Save.