Configure Email Alerts
Focus
Focus

Configure Email Alerts

Table of Contents

Configure Email Alerts

You can configure email alerts for System, Config, HIP Match, Correlation, Threat, WildFire Submission, and Traffic logs. You can use separate profiles to send email notifications for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
As a best practice, configure transport layer security (TLS) to require the firewall to authenticate with the email server before the firewall relays email to the server. This helps prevent malicious activity, such as Simple Mail Transfer Protocol (SMTP) relay, which can be used to send spam or malware, and email spoofing, which can be used for phishing attacks.
  1. (Required for SMTP over TLS) If you have not already done so, create a certificate profile for the email server.
  2. Select DeviceServer ProfilesEmail.
  3. Add an email server profile and enter a Name.
  4. From the read-only window that appears, Add the email server and enter a Name.
  5. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  6. (Optional) Enter an Email Display Name to specify the name to display in the From field of the email.
  7. Enter the email address From which the firewall sends emails.
  8. Enter the email address To which the firewall sends emails.
  9. (Optional) If you want to send emails to a second account, enter the address of the Additional Recipient. You can add only one additional recipient. For multiple recipients, add the email address of a distribution list.
  10. Enter the IP address or hostname of the Email Gateway to use for sending emails.
  11. Select the Type of protocol to use to connect to the email server:
    • Unauthenticated SMTP—Use SMTP to connect to the email server without authentication. The default Port is 25, but you can optionally specify a different port. This protocol does not provide the same security as SMTP over TLS, but if you select this protocol, skip the next step.
    • SMTP over TLS—(Recommended) Use TLS to require authentication to connect to the email server. Continue to the next step to configure the TLS authentication.
  12. (SMTP over TLS only) Configure the firewall to use TLS authentication to connect to the email server.
    1. (Optional) Specify the Port to use to connect to the email server (default is 587).
    2. TLS Version—Specify the TLS version (1.1 or 1.2).
      Palo Alto Networks strongly recommends using the latest TLS version.
    3. Select the Authentication Method for the firewall and the email server:
      • Auto—Allow the firewall and the email server to determine the authentication method.
      • Login—Use Base64 encoding for the username and password and transmit them separately.
      • Plain—Use Base64 encoding for the username and password and transmit them together.
    4. Select a Certificate Profile to authenticate with the email server.
    5. Enter the Username and Password of the account that sends the emails, then Confirm Password.
    6. (Optional) To confirm that the firewall can successfully authenticate with the email server, you can Test Connection.
  13. Click OK to save the Email server profile.
  14. (Optional) Select the Custom Log Format tab and customize the format of the email messages. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
  15. Configure email alerts for Traffic, Threat, and WildFire Submission logs.
    1. See Create a Log Forwarding profile.
      1. Select ObjectsLog Forwarding, click Add, and enter a Name to identify the profile.
      2. For each log type and each severity level or WildFire verdict, select the Email server profile and click OK.
  16. Configure email alerts for System, Config, HIP Match, and Correlation logs.
    1. Select DeviceLog Settings.
    2. For System and Correlation logs, click each Severity level, select the Email server profile, and click OK.
    3. For Config and HIP Match logs, edit the section, select the Email server profile, and click OK.
    4. Click Commit.