View IMA Logs
Focus
Focus
Next-Generation Firewall

View IMA Logs

Table of Contents

View IMA Logs

Review IMA logs for violations and warnings, including for executables.
Where Can I Use This?What Do I Need?
  • NGFW
  • PAN-OS 12.1 and later
With IMA in enforcement mode, any attempts to modify PAN-OS binaries are blocked. Attempts to execute an unknown file not signed by Palo Alto Networks are also blocked. This prevents malware from executing or modifying PAN-OS.
Logs generated by IMA might indicate attacker activity or false positives. This will generate logs of critical severity, and you can view these logs to determine if you need to take additional action.
  1. Select MonitorLogsSystem.
  2. Identify logs with an EventID of ima (eventid eq ima).
    The description column displays a denial message indicating that an executable file was blocked from running. Review the key fields for additional information.
    • pid: The numeric identifier of the process performing an operation on a system file.
    • subj: The third component of this field indicates the type of the process performing the operation.
    • op: Specifies the operation performed on a system file.
    • cause: Indicates that the operation failed and why it failed.
    • name: Refers to the full path of the system file on which the operation was performed.
    For example, the following log indicates that an appraisal operation (op=appraise_data) was performed on the file /var/cache/pan/device/frr/frr_start_syslog_ng.sh. The process that triggered this appraisal was initiated by the sh command and has PID 2959 and type panw_routed_t. The appraisal failed (cause=IMA-signature-required) because an IMA signature was required but missing or invalid, possibly due to file tampering. This failure resulted in access to the file being blocked because IMA is in enforcement mode.
    type=INTEGRITY_DATA msg=audit(1731707334.275:106): pid=2959 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:panw_routed_t:s0 op=appraise_data cause=IMA-signature-required comm="sh" name="/var/cache/pan/device/frr/frr_start_syslog_ng.sh" dev="nvme0n1p2" ino=803911 res=0 errno=0
  3. Your incident response (IR) or forensics team should review these logs for further action. You can also report the issue on the Customer Support Portal (CSP). Be sure to include the entire IMA log message including the timestamp. It is also recommended to generate and export the technical support file (TSF) immediately, and provide it with the support case.