Configure Log Forwarding
Focus
Focus

Configure Log Forwarding

Table of Contents
End-of-Life (EoL)

Configure Log Forwarding

In an environment where you use multiple firewalls to control and analyze network traffic, any single firewall can display logs and reports only for the traffic it monitors. Because logging in to multiple firewalls can make monitoring a cumbersome task, you can more efficiently achieve global visibility into network activity by forwarding the logs from all firewalls to Panorama or external services. If you Use External Services for Monitoring, the firewall automatically converts the logs to the necessary format: syslog messages, SNMP traps, email notifications, or as an HTTP payload to send the log details to an HTTP(S) server. In cases where some teams in your organization can achieve greater efficiency by monitoring only the logs that are relevant to their operations, you can create forwarding filters based on any log attributes (such as threat type or source user). For example, a security operations analyst who investigates malware attacks might be interested only in Threat logs with the type attribute set to wildfire-virus.
Log forwarding is supported only for supported log fields. Forwarding logs that contain unsupported log fields or pseudo-fields causes the firewall to crash.
You can forward logs from the firewalls directly to external services or from the firewalls to Panorama and then configure Panorama to forward logs to the servers. Refer to Log Forwarding Options for the factors to consider when deciding where to forward logs.
You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another firewall. Because the log database is too large for an export or import to be practical on the PA-7000 Series firewall, it does not support these options. You can also use the web interface on all platforms to View and Manage Reports, but only on a per log type basis, not for the entire log database.
  1. Configure a server profile for each external service that will receive log information.
    You can use separate profiles to send different sets of logs, filtered by log attributes, to a different server. To increase availability, define multiple servers in a single profile.
    Configure one or more of the following server profiles:
    • (
      Required for SMTP over TLS
      ) If you have not already done so, create a certificate profile for the email server.
    • 2 To enable the SNMP manager (trap server) to interpret firewall traps, you must load the Palo Alto Networks Supported MIBs into the SNMP manager and, if necessary, compile them. For details, refer to your SNMP management software documentation.
    • If the syslog server requires client authentication, you must also 5
    • Configure an HTTP server profile (see Forward Logs to an HTTP/S Destination).
  2. Create a Log Forwarding profile.
    The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
    1. Select
      Objects
      Log Forwarding
      and
      Add
      a profile.
    2. Enter a
      Name
      to identify the profile.
      If you want the firewall to automatically assign the profile to new security rules and zones, enter
      default
      . If you don’t want a default profile, or you want to override an existing default profile, enter a
      Name
      that will help you identify the profile when assigning it to security rules and zones.
      If no log forwarding profile named
      default
      exists, the profile selection is set to
      None
      by default in new security rules (
      Log Forwarding
      field) and new security zones (
      Log Setting
      field), although you can change the selection.
    3. Add
      one or more match list profiles.
      The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
      1. Enter a
        Name
        to identify the profile.
      2. Select the
        Log Type
        .
      3. In the
        Filter
        drop-down, select
        Filter Builder
        . Specify the following and then
        Add
        each query:
        • Connector
          logic (and/or)
        • Log
          Attribute
        • Operator
          to define inclusion or exclusion logic
        • Attribute
          Value
          for the query to match
      4. Select
        Panorama
        if you want to forward logs to Log Collectors or the Panorama management server.
      5. For each type of external service that you use for monitoring (SNMP, Email, Syslog, and HTTP),
        Add
        one or more server profiles.
    4. (
      Optional, GlobalProtect Only
      ) If you are using a log forwarding profile with a security policy to automatically quarantine a device using GlobalProtect, select
      Quarantine
      in the
      Built-in Actions
      area.
    5. Click
      OK
      to save the Log Forwarding profile.
  3. Assign the Log Forwarding profile to policy rules and network zones.
    Security, Authentication, and DoS Protection rules support log forwarding. In this example, you assign the profile to a Security rule.
    Perform the following steps for each rule that you want to trigger log forwarding:
    1. Select
      Policies
      Security
      and edit the rule.
    2. Select
      Actions
      and select the
      Log Forwarding
      profile you created.
    3. Set the
      Profile Type
      to
      Profiles
      or
      Group
      , and then select the security profiles or
      Group Profile
      required to trigger log generation and forwarding for:
      • Threat logs—Traffic must match any security profile assigned to the rule.
      • WildFire Submission logs—Traffic must match a WildFire Analysis profile assigned to the rule.
    4. For Traffic logs, select
      Log At Session Start
      and/or
      Log At Session End
      .
    5. Click
      OK
      to save the rule.
  4. Configure the destinations for System, Configuration, Correlation, GlobalProtect, HIP Match, and User-ID logs.
    Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
    1. Select
      Device
      Log Settings
      .
    2. For each log type that the firewall will forward, see Step Add one or more match list profiles.
  5. (
    PA-7000 Series firewalls only
    ) Configure a log card interface to perform log forwarding.
    1. Select
      Network
      Interfaces
      Ethernet
      and click
      Add Interface
      .
    2. Select the
      Slot
      and
      Interface Name
      .
    3. Set the
      Interface Type
      to
      Log Card
      .
    4. Enter the
      IP Address
      ,
      Default Gateway
      , and (
      for IPv4 only
      )
      Netmask
      .
    5. Select
      Advanced
      and specify the
      Link Speed
      ,
      Link Duplex
      , and
      Link State
      .
      These fields default to
      auto
      , which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended
      Link Speed
      for any connection is
      1000
      (Mbps).
    6. Click
      OK
      to save your changes.
  6. Commit and verify your changes.
    1. Commit
      your changes.
    2. Verify the log destinations you configured are receiving firewall logs:

Recommended For You