Objects > Log Forwarding
By default, the logs that the firewall generates reside
only in its local storage. However, you can use Panorama™, the Logging
Service, or external services (such as a syslog server) to centrally
monitor log information by defining a Log Forwarding profile and
assigning that profile to Security, Authentication, DoS Protection,
and Tunnel Inspection policy rules. Log Forwarding profiles define
forwarding destinations for the following Log
Types: Authentication, Data Filtering, GTP, SCTP, Threat, Traffic,
Tunnel, URL Filtering, and WildFire® Submissions logs.
You should forward logs to Panorama or
to external storage for many reasons, including: compliance, redundancy,
running analytics, centralized monitoring, and reviewing threat
behaviors and long-term patterns. In addition, the firewall has
limited log storage capacity and deletes the oldest logs as when
the storage space fills up. Be sure to forward Threat logs and WildFire
logs.
To forward other log types, see Device
> Log Settings.
To enable a PA-7000 Series firewall to forward logs or
forward files to WildFire®, you must first configure a Log
Card Interface on the PA-7000 Series firewall. As soon as
you configure this interface, the firewall will automatically use
this port—there is no special configuration required. Just configure
a data port on one of the PA-7000 Series Network Processing Cards
(NPCs) as a Log Card interface type and ensure that the network
that you use can communicate with your log servers. For WildFire
forwarding, the network must communicate successfully with the WildFire
cloud or WildFire appliance (or both).
The following table describes the Log Forwarding profile settings.
Log Forwarding Profile
Settings | Description |
---|---|
Name | Enter a name (up to 64 characters) to identify
the profile. This name appears in the list of Log Forwarding profiles
when defining Security policy rules. The name is case-sensitive,
must be unique, and can contain only letters, numbers, spaces, hyphens,
and underscores. |
Shared ( Panorama only ) | Select this option if you want the profile
to be available to:
|
Enable enhanced application logging to Cortex
Data Lake (including traffic and url logs) ( Panorama only ) | Enhanced Application Logs for
Palo Alto Networks Cloud Services is available with a Cortex
Data Lake subscription. Enhanced application logging allows the
firewall to collect data specifically intended to increase visibility
into network activity for apps running in the Palo Alto Networks
Cloud Services environment. |
Disable override ( Panorama only ) | Select this option to prevent administrators
from overriding the settings of this Log Forwarding profile in device
groups that inherit the profile. This selection is disabled (cleared)
by default, which means administrators can override the settings
for any device group that inherits the profile. |
Description | Enter a description to explain the purpose
of this Log Forwarding profile. |
Match List (unlabeled) | Add one or more match
list profiles (up to 64) that specify forwarding destinations, log
attribute-based filters to control which logs the firewall forwards,
and actions to perform on the logs (such as automatic tagging).
Complete the following two fields (Name and Description) for each
match list profile. |
Name (match list profile) | Enter a name (up to 31 characters) to identify
the match list profile. |
Description (match list profile) | Enter a description (up to 1,023 characters)
to explain the purpose of this match list profile. |
Log Type | Select the type of logs to which this match
list profile applies: authentication ( auth ), data , gtp , sctp , threat , traffic , tunnel , URL , or WildFire . |
Filter | By default, the firewall forwards All
Logs of the selected Log Type .
To forward a subset of the logs, select an existing filter from
the drop-down or select Filter Builder to
add a new filter. For each query in a new filter, specify the following
fields and Add the query:
To display or export the logs that the filter
matches, View Filtered Logs , which provides
the same options as the Monitoring tab pages (such
as Monitoring Logs Traffic |
Panorama Panorama
only ) | Select Panorama if you want to forward
logs to Log Collectors or the Panorama management server or to forward
logs to the Logging Service.If you enable this option, you
must configure log forwarding to Panorama. To
use the Logging Service, you must also Enable the
Logging Service in Device
> Setup > Management. |
SNMP | Add one or more SNMP
Trap server profiles to forward logs as SNMP traps (see Device
> Server Profiles > SNMP Trap). |
Email | Add one or more Email
server profiles to forward logs as email notifications (see Device
> Server Profiles > Email). |
Syslog | Add one or more Syslog
server profiles to forward logs as syslog messages (see Device
> Server Profiles > Syslog). |
HTTP | Add one or more HTTP
server profiles to forward logs as HTTP requests (see Device
> Server Profiles > HTTP). |
Built-in Actions | You can select from two types of built-in
actions when you Add an action to perform—Tagging
and Integration.
To
add a device to the quarantine list based on the log forwarding profile
filter, select Quarantine . |
Recommended For You
Recommended Videos
Recommended videos not found.