Enhanced Application Logs for Palo Alto Networks Cloud Services
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Enhanced Application Logs for Palo Alto Networks Cloud Services
The firewall can collect data that increases visibility into network activity for Palo Alto
Networks apps and services, like Cortex XDR. These enhanced application logs are
designed strictly for Palo Alto Networks apps and services to consume and process;
you cannot view enhanced application logs on the firewall or Panorama. Only
firewalls sending logs to Strata Logging Service can generate
enhanced application logs.
Examples of the types of data
that enhanced application logs gather includes records of DNS queries,
the HTTP header User Agent field that specifies the web browser
or tool used to access a URL, and information about DHCP automatic
IP address assignment. With DHCP information, for example, Cortex XDR™ can alert
on unusual activity based on hostname instead of IP address. This
allows the security analyst using Cortex XDR to meaningfully assess
whether the user’s activity is within the scope of his or her role,
and if not, to more quickly take action to stop the activity.
To
benefit from the most comprehensive set of enhanced application
logs, you should enable User-ID; deployments for the Windows-based
User-ID agent and the PAN-OS integrated User-ID agent both collect some
data that is not reflected in the firewall User-ID logs but that
is useful towards associating network activity with specific users.
To
start forwarding enhanced application logs to Strata Logging Service,
turn on enhanced application logging globally, and then enable it
on a per-security rule basis (using a Log Forwarding profile). The
global setting is required and captures data for traffic that is
not session-based (ARP requests, for example). The per-security
policy rule setting is strongly recommended; the majority of enhanced
application logs are gathered from the session-based traffic that
your security policy rules enforce.
- Enhanced application logging requires a Strata Logging Service subscription and User-ID is also recommended. Here are steps to get started with Strata Logging Service and enable User-ID.To Enable Enhanced Application Logging on the firewall, select DeviceSetupManagementCloud Logging and edit Cloud Logging Settings.Continue to enable enhanced application logging for the security policy rules that control the traffic into which you want extended visibility.
- Select ObjectsLog Forwarding and Add or modify a log forwarding profile.Update the profile to Enable enhanced application logs in cloud logging (including traffic and url logs).Notice that when you enable enhanced application logging in a Log Forwarding profile, match lists that specify the log types required for enhanced application logging are automatically added to the profile.Click OK to save the profile and continue to update as many profiles as needed.Ensure that the Log Forwarding profile that you’ve updated is attached to a security policy rule, to trigger log generation and forwarding for the traffic matched to the rule.
- Select PoliciesSecurity to view the profiles attached to each security policy rule.
- To update the log forwarding profile attached to a rule, Add or edit a rule and select PoliciesSecurityActionsLog Forwarding and select the Log Forwarding profile enabled with enhanced application logging.