Audit Tracking for Administrator Activity

Track activity of administrators on the web interface or CLI for auditing purposes.
PAN-OS 10.1 introduces the ability to track web administrator activity in the web interface and command line interface (CLI) of firewalls, Panorama™ management server, and Log Collectors for audit purposes. By tracking administrator activity in the web interface and CLI, you can achieve real time reporting of activity across your deployment. If you have reason to believe an administrator account is compromised, you have a full history of where this administrator account navigated throughout the web interface or what operational commands they executed so you can analyze in detail and respond to all actions the compromised administrator took.
An event occurs and generates an audit log, which is forwarded to the specified syslog server each time you navigate through the web interface or when you execute an operational command in the CLI. Each navigation or command executed generates an audit log. Take for example if you want to create a new address object. You generate one audit log when you click
Objects
, and a second audit log when you then click
Addresses
. Audit logs can only be forwarded to a syslog server, cannot be forwarded to Cortex Data Lake (CDL), and are not stored locally on the firewall, Panorama, or Log Collector.
  1. Configure a syslog server profile to forward audit logs of administrator activity on the firewall.
    This step is required to successfully store audit logs for tracking administrator activity on the firewall.
    For Panorama managed firewalls, the syslog server profile can be configured on the Panorama web interface.
  2. Select
    Panorama
    Service Profiles
    Syslog
    and configure a syslog server profile to forward audit logs of administrator activity on Panorama and Log Collectors.
    This step is required to successfully store audit logs for tracking administrator activity on Panorama.

Recommended For You