Server Monitoring
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Server Monitoring
- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupServer Monitor
To enable the User-ID agent to map IP addresses to usernames
by searching for logon events in the security event logs of servers,
configure the settings described in the following table.
If the query load is high for Windows
server logs, Windows server sessions, or eDirectory servers, the
observed delay between queries might significantly exceed the specified
frequency or interval.
The complete procedure
![]()
to configure the
PAN-OS integrated User-ID agent to monitor servers requires additional
tasks besides configuring the server monitoring settings.
Server Monitoring Settings | Description |
|---|---|
Enable Security Log | Select this option to enable security log
monitoring on Windows servers. |
Server Log Monitor Frequency (sec) | Specify the frequency in seconds at which
the firewall will query Windows server security logs for user mapping
information (range is 1-3600; default is 2). This is the interval
between when the firewall finishes processing the last query and
when the firewall sends the next query. If
the log monitoring doesn’t happen often enough, the latest IP-address-to-user
mapping may not be available. If the firewall monitors logs too
frequently, that may impact the domain controller, memory, CPU,
and User-ID policy enforcement. Start with a value in a range of
2-30 seconds, then revise the value based on performance impact
or how often user mappings are updated. |
Enable Session | Select this option to enable monitoring
of user sessions on the monitored servers. Each time a user connects
to a server, a session is created; the firewall can use this information
to identify the user IP address. Do
not Enable Session. This setting requires
that the User-ID agent have an Active Directory account with Server
Operator privileges so that it can read all user sessions. Instead,
you should use a Syslog or XML API integration to monitor sources
that capture login and logout events for all device types and operating
systems (instead of only Windows operating systems), such as wireless controllers
and NACs. |
Server Session Read Frequency (sec) | Specify the frequency in seconds at which
the firewall will query Windows server user sessions for user mapping
information (range is 1-3600; default is 10). This is the interval
between when the firewall finishes processing the last query and
when it starts the next query. |
Novell eDirectory Query Interval (sec) | Specify the frequency in seconds at which
the firewall will query Novell eDirectory servers for user mapping
information (range is 1-3600; default is 30). This is the interval
between when the firewall finishes processing the last query and
when it starts the next query. |
Syslog Service Profile | Select an SSL/TLS service profile that specifies
the certificate and allowed SSL/TLS versions for communications between
the firewall and any syslog senders that the User-ID agent monitors.
For details, see Device
> Certificate Management > SSL/TLS Service Profile and Syslog
Filters. If you select none, the firewall
uses its predefined, self-signed certificate. |