Next-Generation Firewall
Log Types and Severity Levels
Table of Contents
Log Types and Severity Levels
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can see the following log types in the pages.
Log Types and Severity Levels
Use the pages to view logs. You can view the following logs:
Traffic Logs
Traffic logs display an entry for the start and end of each session. Each entry
includes the following information: date and time; source and destination zones,
source and destination dynamic address groups, addresses and ports; application
name; security rule applied to the traffic flosecw; rule action (allow, deny, or
drop); ingress and egress interface; number of bytes; and session end reason.
A dynamic address group only appears in a log if the rule the traffic matches
includes a dynamic address group. If an IP address appears in more than one
dynamic address group, the firewall displays up to five dynamic address groups
in logs along with the source IP address
The Type column indicates whether the entry is for the start or end of the session.
The Action column indicates whether the firewall allowed, denied, or dropped the
session. A drop indicates the security rule that blocked the traffic specified any
application, while a deny indicates the rule identified a specific application. If
the firewall drops traffic before identifying the application, such as when a rule
drops all traffic for a specific service, the Application column displays
not-applicable.
Click
![]()
beside an
entry to view additional details about the session, such as whether an ICMP entry
aggregates multiple sessions between the same source and destination (in which case
the Count column value is greater than one).
When the Decryption log introduced in PAN-OS 11.1 is disabled, the firewall sends
HTTP/2 logs as Traffic logs. However, when the Decryption logs are enabled, the
firewall sends HTTP/2 logs as Tunnel Inspection logs (when Decryption logs are
disabled, HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel
Inspection logs instead of the Traffic logs for HTTP/2 events.
Threat Logs
Threat logs display entries when traffic matches one of the Security Profiles
attached to a security rule on the firewall. Each entry includes the following
information: date and time; type of threat (such as virus or spyware); threat
description or URL (Name column); source and destination zones, addresses, source
and destination dynamic address groups, and ports; application name; alarm action
(such as allow or block); and severity level.
A dynamic address group only appears in a log if the rule the traffic matches
includes a dynamic address group. If an IP address appears in more than one
dynamic address group, the firewall displays up to five dynamic address groups
in logs along with the source IP address
To see more details on individual Threat log entries:
- Clickbeside a threat entry to view details such as whether the entry aggregates multiple threats of the same type between the same source and destination (in which case the Count column value is greater than one).
![]()
- If you configured the firewall to Take Packet Captures, clickbeside an entry to access the captured packets.
![]()
The following table summarizes the Threat severity levels:
|
Severity
|
Description
|
|---|---|
|
Critical
|
Serious threats, such as those that affect default installations
of widely deployed software, result in root compromise of
servers, and the exploit code is widely available to attackers.
The attacker usually does not need any special authentication
credentials or knowledge about the individual victims and the
target does not need to be manipulated into performing any
special functions.
|
|
High
|
Threats that have the ability to become critical but have
mitigating factors; for example, they may be difficult to
exploit, do not result in elevated privileges, or do not have a
large victim pool.
WildFire Submissions log entries with a malicious verdict and an
action set to allow are logged as High.
|
|
Medium
|
Minor threats in which impact is minimized, such as DoS attacks
that do not compromise the target or exploits that require an
attacker to reside on the same LAN as the victim, affect only
non-standard configurations or obscure applications, or provide
very limited access.
|
|
Low
|
Warning-level threats that have very little impact on an
organization's infrastructure. They usually require local or
physical system access and may often result in victim privacy or
DoS issues and information leakage.
|
|
Informational
|
Suspicious events that do not pose an immediate threat, but that
are reported to call attention to deeper problems that could
possibly exist.
|
URL Filtering Logs
URL filtering logs () display comprehensive information about traffic to URL categories
monitored in Security policy rules. Attributes or properties recorded for each
session include receive time, category, URL, from zone, to zone,
source, and source user. You can customize your log view so that
only the attributes you are most interested in display. The firewall generates URL
filtering log entries in the following cases, with exceptions noted:
- Traffic matches a Security policy rule with a URL category as match criteria. The rule enforces one of the following actions on the traffic: deny, drop, or reset (client, server, both).URL filtering logs are only generated when an action results from a URL category match. If you have Security policy rules with applications as match criteria, a URL can be blocked due to an application (App-ID) rather than a URL category match. This behavior depends on how packets in the session are parsed.For example, suppose you have a Security policy rule that blocks the social-networking category and another rule that blocks a specific social media application. Traffic to the social media website could result in a Security policy lookup that hits an App-ID rule instead of a URL filtering rule. In this case, a URL filtering log isn't generated.
- Traffic matches a Security policy rule with a URL Filtering profile attached. Site Access for categories in the profile is set to alert, block, continue, or override.
By default, categories set to allow do not generate URL
filtering log entries. The exception is if you configure log forwarding.
If you want the firewall to log traffic to categories that you allow but would
like more visibility into, set Site Access for these
categories to alert in your URL Filtering profiles.
WildFire Submissions Logs
The firewall forwards samples (files and emails links) to the WildFire cloud for
analysis based on WildFire Analysis profiles settings (). The firewall generates WildFire Submissions log entries for each
sample it forwards after WildFire completes static and dynamic analysis of the
sample. WildFire Submissions log entries include the firewall Action for the sample
(allow or block), the WildFire verdict for the submitted sample, and the severity
level of the sample.
The following table summarizes the WildFire verdicts:
|
Verdict
|
Description
|
|---|---|
|
Benign
|
Indicates that the entry received a WildFire analysis verdict of
benign. Files categorized as benign are safe and do not exhibit
malicious behavior.
|
|
Grayware
|
Indicates that the entry received a WildFire analysis verdict of
grayware. Files categorized as grayware do not pose a direct
security threat, but might display otherwise obtrusive behavior.
Grayware can include, adware, spyware, and Browser Helper
Objects (BHOs).
|
|
Phishing
|
Indicates that WildFire assigned a link an analysis verdict of
phishing. A phishing verdict indicates that the site to which
the link directs users displayed credential phishing
activity.
|
|
Malicious
|
Indicates that the entry received a WildFire analysis verdict of
malicious. Samples categorized as malicious are can pose a
security threat. Malware can include viruses, C2
(command-and-control), worms, Trojans, Remote Access Tools
(RATs), rootkits, and botnets. For samples that are identified
as malware, the WildFire cloud generates and distributes a
signature to prevent against future exposure.
C2 samples are classified as C2 in the WildFire analysis
report and other Palo Alto Networks products that rely on
WildFire analysis data; however, that verdict is translated
and categorized as malicious by the firewall. |
Data Filtering Logs
Data Filtering logs display entries for the security rules that help prevent
sensitive information such as credit card numbers from leaving the area that the
firewall protects. See Data Filtering for information on defining
Data Filtering profiles.
This log type also shows information for File Blocking Profiles. For example, if a
rule blocks .exe files, the log shows the blocked files.
Correlation Logs
The firewall logs a correlated event when the patterns and thresholds defined in a
Correlation Object match the traffic patterns on your
network. To Interpret Correlated Events
and view a graphical display of the events, see Use the Compromised Hosts Widget in the ACC.
The following table summarizes the Correlation log severity levels:
|
Severity
|
Description
|
|---|---|
|
Critical
|
Confirms that a host has been compromised based on correlated
events that indicate an escalation pattern. For example, a
critical event is logged when a host that received a file with a
malicious verdict by WildFire, exhibits the same command-and
control activity that was observed in the WildFire sandbox for
that malicious file.
|
|
High
|
Indicates that a host is very likely compromised based on a
correlation between multiple threat events, such as malware
detected anywhere on the network that matches the command and
control activity being generated from a particular host.
|
|
Medium
|
Indicates that a host is likely compromised based on the
detection of one or multiple suspicious events, such as repeated
visits to known malicious URLs that suggests a scripted
command-and-control activity.
|
|
Low
|
Indicates that a host is possibly compromised based on the
detection of one or multiple suspicious events, such as a visit
to a malicious URL or a dynamic DNS domain.
|
|
Informational
|
Detects an event that may be useful in aggregate for identifying
suspicious activity; each event is not necessarily significant
on its own.
|
Tunnel Inspection Logs
Tunnel inspection logs are like traffic logs for tunnel sessions; they display
entries of non-encrypted tunnel sessions. To prevent double counting, the firewall
saves only the inner flows in traffic logs, and sends tunnel sessions to the tunnel
inspection logs. The tunnel inspection log entries include Receive Time (date and
time the log was received), the tunnel ID, monitor tag, session ID, the Security
rule applied to the tunnel session, number of bytes in the session, parent session
ID (session ID for the tunnel session), source address, source user and source zone,
destination address, destination user, and destination zone.
When the decryption logs introduced in PAN-OS 11.1 are enabled, the firewall
sends HTTP/2 logs as Tunnel Inspection logs (when decryption logs are disabled,
HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel
Inspection logs instead of the Traffic logs for HTTP/2 events.
Click the Detailed Log view to see details for an entry, such as the tunnel protocol
used, and the flag indicating whether the tunnel content was inspected or not. Only
a session that has a parent session will have the Tunnel Inspected flag set, which
means the session is in a tunnel-in-tunnel (two levels of encapsulation). The first
outer header of a tunnel will not have the Tunnel Inspected flag set.
Config Logs
Config logs display entries for changes to the firewall configuration. Each entry
includes the date and time, the administrator username, the IP address from where
the administrator made the change, the type of client (Web, CLI, or Panorama), the
type of command executed, the command status (succeeded or failed), the
configuration path, and the values before and after the change.
System Logs
System logs display entries for each system event on the firewall. Each entry
includes the date and time, event severity, and event description. The following
table summarizes the System log severity levels. For a partial list of System log
messages and their corresponding severity levels, refer to System Log Events.
|
Severity
|
Description
|
|---|---|
|
Critical
|
Hardware failures, including high availability (HA) failover and
link failures.
|
|
High
|
Serious issues, including dropped connections with external
devices, such as LDAP and RADIUS servers.
|
|
Medium
|
Mid-level notifications, such as antivirus package upgrades.
|
|
Low
|
Minor severity notifications, such as user password changes.
|
|
Informational
|
Log in/log off, administrator name or password change, any
configuration change, and all other events not covered by the
other severity levels.
|
HIP Match Logs
The GlobalProtect Host Information Profile (HIP)
matching enables you to collect information about the security status of
the end devices accessing your network (such as whether they have disk encryption
enabled). The firewall can allow or deny access to a specific host based on
adherence to the HIP-based security rules you define. HIP Match logs display traffic
flows that match a HIP Object or HIP Profile that you configured for the
rules.
GlobalProtect Logs
GlobalProtect logs display the following logs related to GlobalProtect:
- GlobalProtect system logs.GlobalProtect authentication event logs remain in ; however, the Auth Method column of the GlobalProtect logs display the authentication method used for logins.
- LSVPN/satellite events.
- GlobalProtect portal and gateway logs.
- Clientless VPN logs.
IP-Tag Logs
IP-tag logs display how and when a source IP address is registered or
unregistered on the firewall and what tag the firewall applied to the address.
Additionally, each log entry displays the configured timeout (when configured) and
the source of the IP address-to-tag mapping information, such as User-ID agent VM
information sources and auto-tagging. See how to Register IP Address and Tags Dynamically
for more information.
User-ID Logs
User-ID logs display
information about IP address-to-username mappings and Authentication Timestamps,
such as the sources of the mapping information and the times when users
authenticated. You can use this information to help troubleshoot User-ID and
authentication issues. For example, if the firewall is applying the wrong policy
rule for a user, you can view the logs to verify whether that user is mapped to the
correct IP address and whether the group associations are correct.
Decryption Logs
Decryption logs provide a detailed record
of failed or successful decryption sessions on your network. By default, your
Next-Generation Firewall (NGFW) only generates decryption logs for unsuccessful TLS
handshakes. For full visibility into decryption activity, you can log successful TLS handshakes. However,
ensure your system has enough resources (log space) to handle the increased volume
of logs.
Monitoring decryption logs helps you understand decryption activity and
troubleshoot decryption issues. These logs
are comprehensive, with over 62 columns of information that fall into the following
categories:
- Session and Policy Rule Details—Information about the traffic, including the source and destination IP addresses, the user who initiated the session, the specific decryption policy rule that was applied to the traffic, and the type of decryption performed.
- Certificate Details—Information about the certificate used in the session, including the subject common name, issuer common name, root common name, root status, certificate key type and size, certificate start and end date, certificate serial number, and certificate fingerprint.
- TLS Connection Details—Information about the parameters used to establish the session, including the negotiated TLS version, key exchange algorithm, encryption algorithm, authentication algorithms, elliptic curve (EC), and Server Name Indication (SNI).
- Error Details—Error information related to certificates, ciphers, feature, hardware security modules (HSM), protocols, resources, session resumption, and TLS versions. Error indexes (codes) are also provided for easy lookup of more detailed error information.
You can click the magnifying glass (
![]()
) for any log entry to
view detailed session information in a consolidated view.
NGFWs don't generate decryption logs for web traffic blocked
during an SSL/TLS handshake. These sessions
don't appear in decryption logs because the NGFW resets the
SSL/TLS connection, which ends the handshake and prevents decryption. You can
find details for these blocked sessions in your URL Filtering logs instead.
Decryption logs are not supported for SSH Proxy traffic. In addition, certificate
information isn’t available for session resumption logs.
Alarms Logs
An alarm is a firewall-generated message indicating that the number of events of a
particular type (for example, encryption and decryption failures) has exceeded the
threshold configured for that event type. To enable alarms and configure alarm
thresholds, select and edit the Alarm Settings.
When generating an alarm, the firewall creates an Alarm log and opens the System
Alarms dialog to display the alarm. After you Close the
dialog, you can reopen it anytime by clicking Alarms
(
![]()
) at the bottom of
the web interface. To prevent the firewall from automatically opening the dialog for
a particular alarm, select the alarm in the Unacknowledged Alarms list and
Acknowledge the alarm.
Authentication Logs
Authentication logs display information about authentication events that occur when
end users try to access network resources for which access is controlled by Authentication Policy rules.
You can use this information to help troubleshoot access issues and to adjust your
Authentication policy as needed. In conjunction with correlation objects, you can
also use Authentication logs to identify suspicious activity on your network, such
as brute force attacks.
Optionally, you can configure Authentication rules to log timeout events. These
timeouts relate to the period when a user need authenticate for a resource only once
but can access it repeatedly. Seeing information about the timeouts helps you decide
if and how to adjust them (for details, see Authentication Timestamps).
System logs record authentication events relating to GlobalProtect and to
administrator access to the web interface.
Unified Logs
Unified logs are entries from the Traffic, Threat, URL Filtering, WildFire
Submissions, and Data Filtering logs displayed in a single view. Unified log view
enables you to investigate and filter the latest entries from different log types in
one place, instead of searching through each log type separately. Click Effective
Queries (
![]()
) in the filter area to
select which log types will display entries in Unified log view.
The Unified log view displays only entries from logs that you have permission to see.
For example, an administrator who does not have permission to view WildFire
Submissions logs will not see WildFire Submissions log entries when viewing Unified
logs. Administrative Role Types define these permissions.
When you Set Up Remote Search in AutoFocus to
perform a targeted search on the firewall, the search results are displayed in
Unified log view.