Track activity of administrators on the web interface
or CLI for auditing purposes.
PAN-OS 10.1 introduces the ability to track
web administrator activity in the web interface and command line
interface (CLI) of firewalls, Panorama™ management server, and Log
Collectors for audit purposes. By tracking administrator activity
in the web interface and CLI, you can achieve real time reporting
of activity across your deployment. If you have reason to believe
an administrator account is compromised, you have a full history
of where this administrator account navigated throughout the web
interface or what operational commands they executed so you can
analyze in detail and respond to all actions the compromised administrator
took.
An event occurs and generates an audit log, which is
forwarded to the specified syslog server each time you navigate
through the web interface or when you execute an
operational command in
the CLI. Each navigation or command executed generates an audit
log. Take for example if you want to create a new address object.
You generate one audit log when you click
Objects,
and a second audit log when you then click
Addresses.
Audit logs can only be forwarded to a syslog server, cannot be forwarded
to Cortex Data Lake (CDL), and are not stored locally on the firewall, Panorama,
or Log Collector.