Learn how to assess the network traffic for your NGFWs.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Cloud Managed)
- NGFW (PAN-OS or Panorama Managed)
|
- AIOps for NGFW Premium (for Strata Cloud Manager)
|
Now that you have a basic security policy, you can review the statistics and data,
traffic logs, and the threat logs to observe trends on your network. Use this
information to identify where you need to create more granular security policy
rules.
Cloud Management
Assess network traffic in your cloud managed NGFWs.
You can learn more about monitoring your cloud managed Next-Generation Firewalls
here.
You can learn more about review incidents and alerts for your cloud managed
Next-Generation Firewalls
here.
PAN-OS & Panorama
Learn how to assess network traffic in your PAN-OS and Panorama managed firewalls.
- Use the Application Command Center and
Use the Automated Correlation
Engine.
In the ACC, review the most used applications and the high-risk applications
on your network. The ACC graphically summarizes the log information to
highlight the applications traversing the network, who is using them (with
User-ID enabled), and the
potential security impact of the content to help you identify what is
happening on the network in real time. You can then use this information to
create appropriate security policy rules that block unwanted applications,
while allowing and enabling applications in a secure manner.
The Compromised Hosts widget in displays potentially compromised hosts on your network and
the logs and match evidence that corroborates the events.
- Determine what updates/modifications are required for your network security
policy rules and implement the changes.
For example:
- Evaluate whether to allow web content based on schedule, users, or
groups.
- Allow or control certain applications or functions within an
application.
- Decrypt and inspect content.
- Allow but scan for threats and exploits.
- View Logs.
Specifically, view the traffic and threat logs ().
Traffic logs are dependent on how your security policies are defined and
set up to log traffic. The Application Usage widget in the
ACC, however, records applications and
statistics regardless of policy configuration; it shows all traffic that
is allowed on your network, therefore it includes the inter-zone traffic
that is allowed by policy and the same zone traffic that is allowed
implicitly.
- Configure Log Storage Quotas and Expiration
Periods.
Review the AutoFocus intelligence summary for artifacts in your logs. An
artifact is an item, property, activity, or behavior
associated with logged events on the firewall. The intelligence summary
reveals the number of sessions and samples in which WildFire detected the
artifact. Use WildFire verdict information (benign, grayware, malware) and
AutoFocus matching tags to look for potential risks in your network.
AutoFocus tags created by
Unit 42, the Palo Alto
Networks threat intelligence team, call attention to advanced, targeted
campaigns and threats in your network.
From the AutoFocus intelligence summary, you can start an AutoFocus search
for artifacts and assess their pervasiveness within global, industry, and
network contexts.
- Monitor Web Activity of Network
Users.
Review the URL filtering logs to scan through alerts, denied categories/URLs.
URL logs are generated when a traffic matches a security rule that has a URL
filtering profile attached with an action of alert, continue, override or
block.
