Focus

Enable Telemetry

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Passive DNS Monitoring

Threat Prevention Resources

Enable Telemetry

When you enable telemetry, you define what data the firewall collects and shares with Palo Alto Networks. For some telemetry settings, you can preview what the data that your firewall sends will look like before committing. The firewall uses the Palo Alto Networks Services service route to send the data you share from telemetry to Palo Alto Networks.

Select DeviceSetupTelemetry, and edit the Telemetry settings.
Select the telemetry data you want to share with Palo Alto Networks. For more specific descriptions of this data, see What Telemetry Data Does the Firewall Collect? By default, all telemetry settings are disabled.

To enable Threat Prevention Packet Captures, you must also enable Threat Prevention Data.
Open a report sample (

) to view the type of data that the firewall collects for Application Reports, Threat Prevention Reports, URL Reports, and File Type Identification Reports.
The report sample, formatted in XML, is based on your firewall activity in the first 4 hours since you first viewed the report sample. A report sample does not display any entries if the firewall did not find any matching traffic for the report. The firewall only collects new information for a report sample when you restart the firewall and open a report sample.
The figure below shows a report sample for Threat Prevention Reports:

Application Reports, Threat Prevention Reports, URL Reports, and File Type Identification Reports each consist of multiple reports. In the report sample, Type describes the name of a report. Aggregate lists the log fields that the firewall collects for the report (refer to Syslog Field Descriptions to determine the name of the fields as they appear in the firewall logs). Values indicates the units of measure used in the report (for example, the value count for the Attackers (threat) report refers to the number of times the firewall detected a threat associated with a particular threat ID).
View the type of data that the firewall collects for Product Usage Statistics.
Enter the following operational CLI command: show system info
Click OK and Commit your changes.
If you enabled Threat Prevention Data and Threat Prevention Packet Captures, view the data that the firewall collected.
1. Edit the Telemetry settings.
2. Click Download Threat Prevention Data (
  
  ) to download a tarball file (.tar.gz) with the most recent 100 folders of data that the firewall collected for Threat Prevention Data and Threat Prevention Packet Captures. If you never enabled these settings or if you enabled them but no threat events have matched the conditions for these settings, the firewall does not generate a file and instead returns an error message.
There is currently no way to view the DNS information that the firewall collects through passive DNS monitoring.