Focus

Next-Generation Firewall

View IMA Logs

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure Software Integrity Checks

Authentication

View IMA Logs

Review IMA logs for violations and warnings, including for executables.

Where Can I Use This?	What Do I Need?
NGFW	PAN-OS 12.1 and later

With IMA in enforcement mode, any attempts to modify PAN-OS binaries are blocked. Attempts to execute an unknown file not signed by Palo Alto Networks are also blocked. This prevents malware from executing or modifying PAN-OS.

Logs generated by IMA might indicate attacker activity or false positives. This will generate logs of critical severity, and you can view these logs to determine if you need to take additional action.

Select MonitorLogsSystem.
Identify logs with an EventID of ima (eventid eq ima).
The description column displays a denial message indicating that an executable file was blocked from running. Review the key fields for additional information.
- pid: The numeric identifier of the process performing an operation on a system file.
- subj: The third component of this field indicates the type of the process performing the operation.
- op: Specifies the operation performed on a system file.
- cause: Indicates that the operation failed and why it failed.
- name: Refers to the full path of the system file on which the operation was performed.
For example, the following log indicates that an appraisal operation (op=appraise_data) was performed on the file /var/cache/pan/device/frr/frr_start_syslog_ng.sh. The process that triggered this appraisal was initiated by the sh command and has PID 2959 and type panw_routed_t. The appraisal failed (cause=IMA-signature-required) because an IMA signature was required but missing or invalid, possibly due to file tampering. This failure resulted in access to the file being blocked because IMA is in enforcement mode.
type=INTEGRITY_DATA msg=audit(1731707334.275:106): pid=2959 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:panw_routed_t:s0 op=appraise_data cause=IMA-signature-required comm="sh" name="/var/cache/pan/device/frr/frr_start_syslog_ng.sh" dev="nvme0n1p2" ino=803911 res=0 errno=0
Your incident response (IR) or forensics team should review these logs for further action. You can also report the issue on the Customer Support Portal (CSP). Be sure to include the entire IMA log message including the timestamp. It is also recommended to generate and export the technical support file (TSF) immediately, and provide it with the support case.

Configure Software Integrity Checks

Authentication

Next-Generation Firewall Docs

View IMA Logs

Next-Generation Firewall Docs

View IMA Logs

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner