Create an HTTP server profile to forward logs to an HTTP/S
The firewall and Panorama™ can forward logs to an HTTP/S server. You can choose to forward all
logs or specific logs to trigger an action on an external HTTP-based service when an
event occurs. When forwarding logs to an HTTP server, configure the firewall to send
an HTTP-based API request directly to a third-party service to trigger an action
that is based on the attributes in a firewall log. You can configure the firewall to
work with any HTTP-based service that exposes an API and you can modify the URL,
HTTP header, parameters, and the payload in the HTTP request to meet your
Log forwarding to an HTTP server is designed for log forwarding at low
frequencies and is not recommend for deployments with a high volume of log
forwarding. You may experience log loss when forwarding to an HTTP server if
your deployment generate a high volume of logs that need to be forwarded.
Create an HTTP server profile to forward logs
to an HTTP/S destination.
The HTTP server profile allows you to specify how to access the server and define the format in
which to forward logs to the HTTP/S destination. By default, the firewall
uses the management port to forward these logs. However, you can assign a
different source interface and IP address in
Service Route Configuration
for the server
profile, and select the
. The profile
across all virtual systems
or can belong to a specific virtual system.
the details for each server.
Each profile can have a maximum of four servers.
is 80 or 443 respectively
but you can modify the port number to match the port on which your
HTTP server listens.
on the server—
use for the TLS connection with the server.
the third-party service supports—
(Optional) Enter the
authenticating to the server, if needed.
Test Server Connection
verify network connectivity between the firewall and the HTTP/S
the HTTP request.
for each log type for which you want to define the HTTP request
through content updates) or create a custom format.
If you create a custom format, the
the resource endpoint on the HTTP service. The firewall appends the
URI to the IP address you defined earlier to construct the URL for
the HTTP request. Ensure that the URI and payload format matches
the syntax that your third-party vendor requires. You can use any
attribute supported on the selected log type within the HTTP Header,
the Parameter and Value pairs, and in the request payload.
Send Test Log
to verify that
the HTTP server receives the request. When you interactively send
a test log, the firewall uses the format as is and does not replace
the variable with a value from a firewall log. If your HTTP server
sends a 404 response, provide values for the parameters so that
the server can process the request successfully.
Define the match criteria for when the firewall will
forward logs to the HTTP server and attach the HTTP server profile
you will use.
Select the log types for which you want
to trigger a workflow:
Add a Log Forwarding Profile (
) for logs that
pertain to user activity (for example, Traffic, Threat, or Authentication
for logs that pertain to system
events, such as Configuration or System logs.
Select the Log Type and use the new
to define the match criteria.
the HTTP server profile
for forwarding logs to the HTTP destination.