Track activity of firewall administrators on the web
interface or CLI for auditing purposes.
Track administrator activity on the firewall
web interface and CLI to achieve real time reporting of activity
across your firewall. If you have reason to believe an administrator
account is compromised, you have a full history of where this administrator
account navigated throughout the web interface or what operational
commands they executed so you can analyze in detail and respond
to all actions the compromised administrator took.
event occurs, an audit log is generated and forwarded to the specified syslog
server each time an administrator navigates through the web interface
or when an operational command is
executed in the CLI. An audit log is generated for each navigation
or commend executed. Take for example if you want to create a new
address object. An audit log is generated when you click on
and a second audit log is generated when you then click on Addresses.
logs are only visible as syslogs forwarded to your syslog server
and cannot be viewed in the firewall web interface. Audit logs can
only be forwarded to a syslog server, cannot be forwarded to Cortex
Data Lake (CDL), and are not stored locally on the firewall.
Configure a syslog server profile to forward audit
logs of administrator activity on the firewall.
This step is required to successfully store audit logs
for tracking administrator activity on the firewall.
In the Log Admin Activity section, configure what
administrator activity to track.
—Generate an audit log
when an administrator executes an operational or debug command in
the CLI or an operational command triggered from the web interface.
See the CLI Operational Command Hierarchy for
a full list of PAN-OS operational and debug commands.
—Generate an audit log when an administrator
navigates throughout the web interface. This includes navigation between
configuration tabs, as well as individual objects within a tab.
example, an audit log is generated when an administrator navigates from
Additionally, an audit log is generated when an administrator navigates from
—Select a target syslog server profile
to forward audit logs.