: Configure Policies for Log Forwarding
Focus
Focus

Configure Policies for Log Forwarding

Table of Contents

Configure Policies for Log Forwarding

Enable log forwarding so that the firewall sends Enhanced Application logs (EALs) to the logging service.
Enable log forwarding so that the firewall sends Enhanced Application logs (EALs) to the Palo Alto Networks cloud-based logging service. IoT Security then fetches metadata from there for analysis.
Configure an Interzone Policy
If the VLAN interfaces are set in different L3 security zones from the Ethernet interfaces with which they’re paired, Security policy rules must be configured for the solution to work. The figure below shows example rules when multiple VLAN interfaces have been configured to support multiple Ethernet interfaces.
Policy rule 1: This policy rule allows relayed unicast DHCP messages from the zones assigned to interfaces ethernet1/1 - ethernet1/3 to the DHCP zone. In addition, enable log forwarding and choose the log-forwarding profile you previously created to send EALs for this traffic to the logging service.
If you name the log forwarding profile “default” (all lowercase), the firewall will automatically apply it to new Security policy rules when they’re created—or when they’re imported from IoT Security. Doing this will save you time and effort when importing Security policy rule recommendations from IoT Security. Because imported rule recommendations don’t include a log forwarding profile, you have to add one manually to each rule after you import it. However, by naming the profile “default”, you can avoid this step. (Note that the “default” log forwarding profile will be applied when adding new Security policy rules, but it won’t be retroactively applied to existing rules.)
Policy rule 2: This rule allows ping (ICMP echo requests) from the VLAN interfaces in the DHCP zone to networks configured on ethernet1/1 - ethernet1/3.
Policy rule 3: This rule allows ping from the IP addresses assigned to ethernet1/1 - ethernet1/3 to VLAN interfaces configured in the DHCP zone.
Configure an Intrazone Policy
You must override the logging and log forwarding settings in the default intrazone policy rule so that the firewall will forward logs to the logging service.
If the interface hosting the DHCP server is in the same zone as the interface your clients are on, the default intrazone policy rule applies to this traffic, which, by default, allows all traffic within this zone but does not have logging and log forwarding enabled. Therefore, you must override this by enabling log forwarding on your default intrazone policy rule.
Even for cases where the DHCP server is in a different zone from the DHCP clients and an interzone policy is applied to their DHCP traffic, we still recommend that you enable log forwarding on the default intrazone policy rule to capture the enhanced application logs for traffic within that zone.
  1. Click PoliciesSecurity, select intrazone-default, and then click Override.
    The Security Policy Rule configuration window appears.
  2. Click Actions, select Log at Session End, choose the log forwarding profile you just configured from the Log Forwarding drop-down list, and then click OK.