View ZTNA Connector Logs
Focus
Focus
Prisma Access

View ZTNA Connector Logs

Table of Contents

View ZTNA Connector Logs

View ZTNA Connector logs in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access 5.2.0
  • ZTNA Connector add-on license
    The Essential license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
    The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
    The Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
  • If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
All ZTNA Connector traffic is logged to the Strata Logging Service. To store Prisma Access logs in Strata Logging Service, you must estimate and purchase the appropriate amount of log storage in Strata Logging Service. We recommend that you increase the percentage of your total Strata Logging Service capacity storage by 10% to store ZTNA Connector logs.
Make sure that you’ve configured a Log Forwarding profile that forwards the desired log types to Strata Logging Service. Strata Logging Service will send an email notification to purchase more storage when the log storage quota reaches 90%. If you don’t purchase more storage, the older logs will be purged.
Regardless of the management interface you’re using for Prisma Access—Panorama or Cloud Management—you can view your logs in Prisma Access (Managed by Strata Cloud Manager) under Incidents & AlertsLog Viewer.
ZTNA Connector provides the following Network logs.
  • Audit Logs - are available through the Prisma SASE Platform and provide records of administrators' configuration changes in the ZTNA Connector. You can use these logs for the compliance and troubleshooting purpose.
    You might filter the audit logs by time range, site, device, and type. The Audit logs provide the following details:
    • Number of attempted logins to an enterprise portal by a specific user from a particular IP address.
    • Whether an application or application Connector is onboarded or deleted.
    • When a Connector upgrade is scheduled.
    • View of all system changes and access attempted.
    ZTNA Connector Audit logs aren’t available in the Prisma Access web interface. To view Audit logs, you must open a Support case with Palo Alto Networks Technical Support.
  • Traffic logs - display an entry for the start and end of each session. Each entry includes the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason.
    • The Type column indicates whether the entry is for the start or end of the session.
    • The Action column indicates whether the firewall allowed, denied, or dropped the session.
    • A drop indicates the security rule that blocked the traffic specified any application, while a deny indicates the rule identified a specific application.
    • If the firewall drops traffic before identifying the application, such as when a rule drops all traffic for a specific service, the Application column displays not-applicable.
    • The App-ID for a ZTNA Connector is the custom App-ID.
    • If the traffic hits the Mobile User Gateway, Destination Address column displays the RFC 6598 IP address.
  • Config logs - display entries for changes to the ZTNA Connector configuration. Each entry includes the date and time, the administrator's username, the IP address from where the administrator made a change, the type of client, the type of command executed, the command status (succeeded or failed), the configuration path, and the values before and after the change.

View ZTNA Connector Logs (Strata Cloud Manager)

View ZTNA Connector logs in Cloud Management.
Use the following workflow to view ZTNA Connector logs in Cloud Managed Prisma Access.
  1. Log in to Prisma Access (Managed by Strata Cloud Manager).
  2. Select Incidents & AlertsLog Viewer.
  3. Select the type of log you want to view: Audit, Firewall/Traffic, and Configuration logs.
  4. Select a time range for which you want to view logs.
  5. Provide this query string to narrow down the list of ZTNA Connector logs: Subtype = 'netflow' AND Device Name = 'PA_CONN' .
    The logs include the following details:
    • Timestamp
    • Connector Name
    • Original source IP address of the client
    • Original source port of the client
    • Translated IP address of the Connector
    • Translated port of the Connector
    • Translated destination IP address
    • Translated destination port

View ZTNA Connector Logs (Panorama)

View ZTNA Connector logs in Panorama Managed interface.
Use the following workflow to view ZTNA Connector logs in Prisma Access (Managed by Panorama) Access.
  1. Log in to Prisma Access.
  2. Select MonitorLogs.
  3. Select a log type from the list: Audit, Traffic, and Config logs.
  4. Click the arrow to the right of any column header, and select Columns.
  5. Select columns to display from the list. The log updates automatically to match your selections.
  6. Click the spyglass icon for a specific log entry. The Detailed Log View has more information about the source and destination of the session, as well as a list of sessions related to the log entry.