Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Focus

Next-Generation Firewall

Log Actions

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Monitor > External Logs

Log Actions

The following table describes log actions.

Action	Description
Filter Logs	Each log page has a filter field at the top of the page. You can add artifacts to the field, such as an IP address or a time range, to find matching log entries. The icons to the right of the field enable you to apply, clear, create, save, and load filters. Create a filter: Click an artifact in a log entry to add that artifact to the filter. Click Add ( ) to define new search criteria. For each criterion, select the Connector that defines the search type (and or or), the Attribute on which to base the search, an Operator to define the scope of the search, and a Value for evaluation against log entries. Add each criterion to the filter field and Close when you finish. You can then apply ( ) the filter. If the Value string matches an Operator (such as has or in), enclose the string in quotation marks to avoid a syntax error. For example, if you filter by destination country and use IN as a Value to specify INDIA, enter the filter as ( dstloc eq "IN" ). The log filter (receive_time in last-60-seconds) causes the number of log entries (and log pages) displayed to grow or shrink over time. Apply filters—Click Apply Filter ( ) to display log entries that match the current filter. Delete filters—Click Clear Filter ( ) to clear the filter field. Save a filter—Click Save Filter ( ), enter a name for the filter, and click OK. Use a saved filter—Click Load Filter ( ) to add a saved filter to the filter field.
Export Logs	Click Export to CSV ( ) to export all logs matched to the current filter to a CSV-formatted report and continue to Download file. By default, the report contains up to 2,000 lines of logs. To change the line limit for generated CSV reports, select DeviceSetupManagementLogging and Reporting SettingsLog Export and Reporting and enter a new Max Rows in CSV Export value.
Highlight Policy Actions	Select to highlight log entries that match the action. The filtered logs are highlighted in the following colors: Green—Allow Yellow—Continue, or override Red—Deny, drop, drop-icmp, rst-client, reset-server, reset-both, block-continue, block-override, block-url, drop-all, sinkhole
Change Log Display	To customize the log display: Change the automatic refresh interval—Select an interval from the interval drop-down (60 seconds, 30 seconds, 10 seconds, or Manual). Change the number and order of entries displayed per page—Log entries are retrieved in blocks of 10 pages. Use the paging controls at the bottom of the page to navigate through the log list. To change the number of log entries per page, select the number of rows from the per page drop-down (20, 30, 40, 50, 75, or 100). To sort the results in ascending or descending order, use the ASC or DESC drop-down. Resolve IP addresses to domain names—Select Resolve Hostname to begin resolving external IP addresses to domain names. Change the order in which logs are displayed—Select DESC to display logs in descending order beginning with log entries with the most recent Receive Time. Select ASC to display logs in ascending order beginning with log entries with the oldest Receive Time.
View Details for Individual Log Entries	To view information about individual log entries: To display additional details, click Details ( ) for an entry. If the source or destination has an IP address to domain or username mapping defined in the Addresses page, the name is presented instead of the IP address. To view the associated IP address, move your cursor over the name. On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Intelligence Summary for the artifact.

Monitor > External Logs