Device > Setup > Telemetry
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
Device > Setup > Telemetry
Telemetry is the process of collecting and transmitting
data for analysis. When you enable telemetry on the firewall, the
firewall collects and forwards data that includes information on
applications, threats, device health, and passive DNS to Palo Alto
Networks. All Palo Alto Networks users benefit from the data that
each telemetry participant shares, making telemetry a community-driven
approach to threat prevention. Learn more about telemetry and its benefits
.
Telemetry is an opt-in feature and, for most telemetry data,
you can preview the information that the firewall collects. Palo
Alto Networks does not share your telemetry data with other customers
or third-party organizations.
Select to choose telemetry
data to share with Palo Alto Networks. The Threat Prevention Data
and Threat Prevention Packet Captures reports provide Palo Alto
Networks more visibility into your network traffic than other telemetry
reports.
Device
Setup
Telemetry
Telemetry Settings | Description |
---|---|
Report Sample | Click a report sample (
) to view an XML-formatted
report in a separate tab. The data in the report sample is based
on firewall activity in the four hours since you first viewed the
report sample. The firewall provides a report sample for Application,
Threat Prevention, URL, and File Type Identification reports only. A
report can consist of multiple reports:
A
report sample does not display any entries if the firewall did not find
any matching traffic for the report. You can only generate a new report
sample when you restart the firewall. |
Application Reports (Disabled by default) | Share the number and size of known applications
grouped by destination port, unknown applications grouped by destination port,
and unknown applications grouped by destination IP address. The
firewall generates these reports from Traffic logs. When enabled,
the firewall forwards Application Reports every 4 hours. |
Threat Prevention Reports (Disabled
by default) | Share the number of threats for each source
country and destination port, attacker information, and the correlation
objects that threat events triggered when the firewall was collecting
data for these reports. When enabled, the firewall forwards
Threat Prevention Reports every 4 hours. |
URL Reports (Disabled by default) | Share reports generated from URL filtering
logs with the following PAN-DB URL categories: malware, phishing,
dynamic DNS, proxy-avoidance, questionable, parked, and unknown
(URLs that PAN-DB has not yet categorized). The firewall also sends
PAN-DB statistics at the time that the data for the URL Reports
was collected. These statistics include the version of the URL filtering
database on the firewall and on the PAN-DB cloud, the number of
URLs in those databases, and the number of URLs that the firewall
categorized. These statistics are based on the time that the firewall
forwarded the URL Reports. When enabled, the firewall forwards
URL Reports every 4 hours. |
File Type Identification Reports (Disabled
by default) | Share reports about files that the firewall
allowed or blocked based on data filtering
and file blocking
settings. When enabled, the
firewall forwards File Type Identification Reports every 4 hours. |
Threat Prevention Data (Disabled by default) | Share logs from threat events that triggered
signatures that Palo Alto Networks is evaluating. The collected
information may include source or victim IP addresses. Enabling
this option also allows unreleased signatures—that Palo Alto Networks
is currently testing—to run in the background. These signatures
do not affect your security policy rules and firewall logs and have
no impact to your firewall performance. When enabled, the
firewall forwards Threat Prevention Data every 5 minutes. Click Download
Threat Prevention Data (
) to download
a tarball file (.tar.gz) with the most recent 100 folders of Threat
Prevention Data and Threat Prevention Packet
Captures that the firewall forwarded to Palo Alto Networks.
If you never enabled these settings or if you enabled them but no
threat events have matched the conditions for these telemetry settings,
the firewall does not generate a file and instead returns an error message. |
Threat Prevention Packet Captures (Disabled
by default) | Share packet captures (if you enabled your
firewall to take threat packet captures
) from threat events that trigger
signatures that Palo Alto Networks is evaluating. The collected
information may include source or victim IP addresses. When
enabled, the firewall forwards Threat Prevention Packet Captures
every 5 minutes. To enable Threat Prevention
Packet Captures, you must also enable Threat Prevention Data. |
Product Usage Statistics (Disabled
by default) | Share back traces of firewall processes
that have failed, as well as information about the firewall status.
Back traces outline the execution history of the failed processes.
Product Usage Statistics also include details about the firewall
model and the PAN-OS and content release versions installed on your
firewall. To view the information that the firewall sends
as Product Usage Statistics, enter the following operational CLI
command:
When
enabled, the firewall forwards Product Usage Statistics every 5
minutes. |
Passive DNS Monitoring (Disabled by default) | Allow the firewall to act as a passive DNS
sensor and send DNS information to Palo Alto Networks for analysis.
The data you share through passive DNS monitoring consists
solely of domain-to-IP address mappings. The Palo Alto Networks
threat research team uses this information to improve PAN-DB URL
category and DNS-based C2 signature accuracy and WildFire malware
detection. Passive DNS monitoring is a global setting that applies
to all firewall traffic. When enabled, the firewall forwards
Passive DNS Monitoring data in 1MB batches. |
Select All | Enable all telemetry settings. |
Deselect All | Disable all telemetry settings. |