Configure Email Alerts

You can configure email alerts for System, Config, HIP Match, Correlation, Threat, WildFire Submission, and Traffic logs. You can use separate profiles to send email notifications for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
As a best practice, configure transport layer security (TLS) to require the firewall to authenticate with the email server before the firewall relays email to the server. This helps prevent malicious activity, such as Simple Mail Transfer Protocol (SMTP) relay, which can be used to send spam or malware, and email spoofing, which can be used for phishing attacks.
  1. (
    Required for SMTP over TLS
    ) If you have not already done so, create a certificate profile for the email server.
  2. Select
    Device
    Server Profiles
    Email
    .
  3. Add
    an email server profile and enter a
    Name
    .
  4. From the read-only window that appears,
    Add
    the email server and enter a
    Name.
  5. If the firewall has more than one virtual system (vsys), select the
    Location
    (vsys or
    Shared
    ) where this profile is available.
  6. (
    Optional
    ) Enter an
    Email Display Name
    to specify the name to display in the From field of the email.
  7. Enter the email address
    From
    which the firewall sends emails.
  8. Enter the email address
    To
    which the firewall sends emails.
  9. (
    Optional
    ) If you want to send emails to a second account, enter the address of the
    Additional Recipient
    . You can add only one additional recipient. For multiple recipients, add the email address of a distribution list.
  10. Enter the IP address or hostname of the
    Email Gateway
    to use for sending emails.
  11. Select the
    Type
    of protocol to use to connect to the email server:
    • Unauthenticated SMTP
      —Use SMTP to connect to the email server without authentication. The default
      Port
      is 25, but you can optionally specify a different port. This protocol does not provide the same security as SMTP over TLS, but if you select this protocol, skip the next step.
    • SMTP over TLS
      —(
      Recommended
      ) Use TLS to require authentication to connect to the email server. Continue to the next step to configure the TLS authentication.
  12. (
    SMTP over TLS only
    ) Configure the firewall to use TLS authentication to connect to the email server.
    1. (
      Optional
      ) Specify the
      Port
      to use to connect to the email server (default is 587).
    2. TLS Version
      —Specify the TLS version (
      1.1
      or
      1.2
      ).
      Palo Alto Networks strongly recommends using the latest TLS version.
    3. Select the
      Authentication Method
      for the firewall and the email server:
      • Auto
        —Allow the firewall and the email server to determine the authentication method.
      • Login
        —Use Base64 encoding for the username and password and transmit them separately.
      • Plain
        —Use Base64 encoding for the username and password and transmit them together.
    4. Select a
      Certificate Profile
      to authenticate with the email server.
    5. Enter the
      Username
      and
      Password
      of the account that sends the emails, then
      Confirm Password
      .
    6. (
      Optional
      ) To confirm that the firewall can successfully authenticate with the email server, you can
      Test Connection
      .
  13. Click
    OK
    to save the Email server profile.
  14. (
    Optional
    ) Select the
    Custom Log Format
    tab and customize the format of the email messages. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
  15. Configure email alerts for Traffic, Threat, and WildFire Submission logs.
      1. Select
        Objects
        Log Forwarding
        , click
        Add
        , and enter a
        Name
        to identify the profile.
      2. For each log type and each severity level or WildFire verdict, select the Email server profile and click
        OK
        .
  16. Configure email alerts for System, Config, HIP Match, and Correlation logs.
    1. Select
      Device
      Log Settings
      .
    2. For System and Correlation logs, click each Severity level, select the
      Email
      server profile, and click
      OK
      .
    3. For Config and HIP Match logs, edit the section, select the
      Email
      server profile, and click
      OK
      .
    4. Click
      Commit
      .

Recommended For You