Policy Object: Log Forwarding
Focus
Focus
Network Security

Policy Object: Log Forwarding

Table of Contents

Policy Object: Log Forwarding

Use a Log Forwarding profile to centrally monitor log information
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
By default, the logs that get generated reside only in its local storage. However, you can use Panorama™, Strata Logging Service, or external services (such as a syslog server) to centrally monitor log information by defining a Log Forwarding profile and assigning that profile to Security, Authentication, DoS Protection, and Tunnel Inspection security rules. Log Forwarding profiles define forwarding destinations for the following log types: Authentication, Data Filtering, GTP, SCTP, Threat, Traffic, Tunnel, URL Filtering, and WildFire® Submissions logs.
Forward logs to Panorama or to external storage for many reasons, including: compliance, redundancy, running analytics, centralized monitoring, and reviewing threat behaviors and long-term patterns. In addition, the log storage capacity is limited and the oldest logs are deleted as and when the storage space fills up. Be sure to forward Threat logs and WildFire logs.
To enable a PA-7000 Series to forward logs or forward files to WildFire®, you must first configure a Log Card Interface on the PA-7000 Series. As soon as you configure this interface, this port is automatically used—there is no special configuration required. Just configure a data port on one of the PA-7000 Series Network Processing Cards (NPCs) as a Log Card interface type and ensure that the network that you use can communicate with your log servers. For WildFire forwarding, the network must communicate successfully with the WildFire cloud or WF-500 appliance (or both).

Configure a Log Forwarding Profile

Configure a Log Forwarding Profile (Strata Cloud Manager)

Use a Log Forwarding profile to centrally monitor log information
Follow these steps to configure a Log Forwarding profile.
  1. Go to ManageConfigurationNGFW and Prisma AccessObjectsLog Forwarding.
  2. Select Add Log Forwarding Profile.
  3. Configure the settings in this table:
    Log Forwarding Profile Settings
    Description
    Name
    Enter a name (up to 64 characters) to identify the profile. This name appears in the list of Log Forwarding profiles when defining Security rules. The name is case-sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens, and underscores.
    Description
    Enter a description to explain the purpose of this Log Forwarding profile.
    Match List (unlabeled)
    Add one or more match list profiles (up to 64) that specify forwarding destinations, log attribute-based filters to control which logs are forwarded, and actions to perform on the logs (such as automatic tagging). Complete the following two fields (Name and Description) for each match list profile.
    Name (match list profile)
    Enter a name (up to 31 characters) to identify the match list profile.
    Description (match list profile)
    Enter a description (up to 1,023 characters) to explain the purpose of this match list profile.
    Log Type
    Select the type of logs to which this match list profile applies: authentication (auth), data, gtp, sctp, threat, traffic, tunnel, URL, or WildFire.
    Filter
    By default, All Logs of the selected Log Type are forwarded. To forward a subset of the logs, select an existing filter from the drop-down or select Filter Builder to add a new filter. For each query in a new filter, specify the following fields and Add the query:
    • Connector—Select the connector logic (and/or) for the query. Select Negate if you want to apply negation to the logic. For example, to avoid forwarding logs from an untrusted zone, select Negate, select Zone as the Attribute, select equal as the Operator, and enter the name of the untrusted zone in the Value column.
    • Attribute—Select a log attribute. The available attributes depend on the Log Type.
    • Operator—Select the criterion to determine whether the attribute applies (such as equal). The available criteria depend on the Log Type.
    • Value—Specify the attribute value to match.
    To display or export the logs that the filter matches, View Filtered Logs, which provides the same options as the Monitoring tab pages (such as MonitoringLogsTraffic).
    SNMP
    Add one or more SNMP Trap server profiles to forward logs as SNMP traps.
    Email
    Add one or more Email server profiles to forward logs as email notifications.
    Syslog
    Add one or more Syslog server profiles to forward logs as syslog messages.
    HTTP
    Add one or more HTTP server profiles to forward logs as HTTP requests.
    Built-in Actions
    You can select from two types of built-in actions when you Add an action to perform—Tagging and Integration.
    • Tagging—Add or remove a tag to the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID agent on Panorama, or to a remote User-ID agent so that you can respond to an event and dynamically enforce Security policy. The ability to tag an IP address and dynamically enforce policy using Dynamic Address Groups gives you better visibility, context, and control for consistently enforcing Security policy irrespective of where the IP address moves across your network.
      Configure the following settings:
      • Add an action and enter a name to describe it.
      • Select the target IP address you want to tag—Source Address or Destination Address.
      You can take an action for all log types that include a source or destination IP address in the log entry. You can tag the source IP address only in Correlation logs and HIP Match logs; you can't configure an action for system logs and configuration logs because the log type does not include an IP address in the log entry.
      • Select the action—Add Tag or Remove Tag.
      • Select whether to register the IP address and tag mapping to the Local User-ID agent, or to a Remote User-ID agent.
      • To register the IP address and tag mapping to a Remote User-ID agent, select the HTTP server profile that will enable forwarding.
      • Configure the IP-Tag Timeout to set, in minutes, the amount of time that IP address-to-tag mapping is maintained. Setting the timeout to 0 means that the IP-Tag mapping does not timeout (range is 0 to 43200 (30 days); default is 0).
        You can only configure a timeout with the Add Tag action.
      • Enter or select the Tags you want to apply or remove from the target source or destination IP address.
    • Integration—Only available on the VM-Series on Azure. This option allows you to forward the selected logs to the Azure Security Center using the Azure-Security-Center-Integration action.
    To add a device to the quarantine list based on the Log Forwarding profile filter, select Quarantine.
  4. Save your configuration.
  5. Select Push Config to save your configuration and deploy it to your network.

Configure a Log Forwarding Profile (PAN-OS & Panorama)

Use a Log Forwarding profile to centrally monitor log information
Follow these steps to configure a Log Forwarding profile.
  1. Go to ObjectsLog Forwarding.
  2. Add a Log Forwarding profile.
  3. Configure the settings in this table:
    Log Forwarding Profile Settings
    Description
    Name
    Enter a name (up to 64 characters) to identify the profile. This name appears in the list of Log Forwarding profiles when defining Security rules. The name is case-sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens, and underscores.
    Shared (Panorama only)
    Select this option if you want the profile to be available to:
    • Every virtual system (vsys) on a multi-vsys—If you disable (clear) this option, the profile is available only to the Virtual System selected in the Objects tab.
    • Every device group on Panorama—If you disable (clear) this option, the profile is available only to the Device Group selected in the Objects tab.
    Enable enhanced application logs to cloud logging (including traffic and url logs) (Panorama only)
    Enhanced Application logs for Palo Alto Networks Cloud Services is available with a Strata Logging Service subscription. Enhanced application logging allows you to collect data specifically intended to increase visibility into network activity for apps running in the Palo Alto Networks Cloud Services environment.
    Disable override (Panorama only)
    Select this option to prevent administrators from overriding the settings of this Log Forwarding profile in device groups that inherit the profile. This selection is disabled (cleared) by default, which means administrators can override the settings for any device group that inherits the profile.
    Description
    Enter a description to explain the purpose of this Log Forwarding profile.
    Match List (unlabeled)
    Add one or more match list profiles (up to 64) that specify forwarding destinations, log attribute-based filters to control which logs are forwarded, and actions to perform on the logs (such as automatic tagging). Complete the following two fields (Name and Description) for each match list profile.
    Name (match list profile)
    Enter a name (up to 31 characters) to identify the match list profile.
    Description (match list profile)
    Enter a description (up to 1,023 characters) to explain the purpose of this match list profile.
    Log Type
    Select the type of logs to which this match list profile applies: authentication (auth), data, gtp, sctp, threat, traffic, tunnel, URL, or WildFire.
    Filter
    By default, All Logs of the selected Log Type are forwarded. To forward a subset of the logs, select an existing filter from the drop-down or select Filter Builder to add a new filter. For each query in a new filter, specify the following fields and Add the query:
    • Connector—Select the connector logic (and/or) for the query. Select Negate if you want to apply negation to the logic. For example, to avoid forwarding logs from an untrusted zone, select Negate, select Zone as the Attribute, select equal as the Operator, and enter the name of the untrusted zone in the Value column.
    • Attribute—Select a log attribute. The available attributes depend on the Log Type.
    • Operator—Select the criterion to determine whether the attribute applies (such as equal). The available criteria depend on the Log Type.
    • Value—Specify the attribute value to match.
    To display or export the logs that the filter matches, View Filtered Logs, which provides the same options as the Monitoring tab pages (such as MonitoringLogsTraffic).
    Panorama
    Panorama/Cloud Logging (Panorama only)
    Select Panorama if you want to forward logs to log collectors or the Panorama management server or to forward logs to Strata Logging Service.
    If you enable this option, you must configure log forwarding to Panorama.
    To use Strata Logging Service, you must also enable the Cloud Logging.
    SNMP
    Add one or more SNMP Trap server profiles to forward logs as SNMP traps.
    Email
    Add one or more Email server profiles to forward logs as email notifications.
    Syslog
    Add one or more Syslog server profiles to forward logs as syslog messages.
    HTTP
    Add one or more HTTP server profiles to forward logs as HTTP requests.
    Built-in Actions
    You can select from two types of built-in actions when you Add an action to perform—Tagging and Integration.
    • Tagging—Add or remove a tag to the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID agent on Panorama, or to a remote User-ID agent so that you can respond to an event and dynamically enforce Security policy. The ability to tag an IP address and dynamically enforce policy using Dynamic Address Groups gives you better visibility, context, and control for consistently enforcing Security policy irrespective of where the IP address moves across your network.
      Configure the following settings:
      • Add an action and enter a name to describe it.
      • Select the target IP address you want to tag—Source Address or Destination Address.
      You can take an action for all log types that include a source or destination IP address in the log entry. You can tag the source IP address only in Correlation logs and HIP Match logs; you can't configure an action for system logs and configuration logs because the log type does not include an IP address in the log entry.
      • Select the action—Add Tag or Remove Tag.
      • Select whether to register the IP address and tag mapping to the Local User-ID agent, or to a Remote User-ID agent.
      • To register the IP address and tag mapping to a Remote User-ID agent, select the HTTP server profile that will enable forwarding.
      • Configure the IP-Tag Timeout to set, in minutes, the amount of time that IP address-to-tag mapping is maintained. Setting the timeout to 0 means that the IP-Tag mapping does not timeout (range is 0 to 43200 (30 days); default is 0).
        You can only configure a timeout with the Add Tag action.
      • Enter or select the Tags you want to apply or remove from the target source or destination IP address.
    • Integration—Only available on the VM-Series on Azure. This option allows you to forward the selected logs to the Azure Security Center using the Azure-Security-Center-Integration action.
    To add a device to the quarantine list based on the Log Forwarding profile filter, select Quarantine.
  4. Select OK to save your configuration.
  5. Commit the configuration.