Configure Log Forwarding
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 10.1
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
-
Cloud Management and AIOps for NGFW
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Log Forwarding
In an environment where you use multiple firewalls
to control and analyze network traffic, any single firewall can
display logs and reports only for the traffic it monitors. Because
logging in to multiple firewalls can make monitoring a cumbersome
task, you can more efficiently achieve global visibility into network
activity by forwarding the logs from all firewalls to Panorama or
external services. If you Use External Services for Monitoring,
the firewall automatically converts the logs to the necessary format:
syslog messages, SNMP traps, email notifications, or as an HTTP
payload to send the log details to an HTTP(S) server. In cases where
some teams in your organization can achieve greater efficiency by
monitoring only the logs that are relevant to their operations,
you can create forwarding filters based on any log attributes (such
as threat type or source user). For example, a security operations
analyst who investigates malware attacks might be interested only
in Threat logs with the type attribute set to wildfire-virus.
By
default, logs are forwarded over the management interface unless
you configure a dedicated service route to forward
logs. Forwarded logs have a maximum log record size of 4,096 bytes.
A forwarded log with a log record size larger than the maximum is
truncated at 4,096 bytes while logs that do not exceed the maximum
log record size are not.
Log forwarding
is supported only for supported log fields.
Forwarding logs that contain unsupported log fields or pseudo-fields causes
the firewall to crash.
You can forward logs from
the firewalls directly to external services or from the firewalls
to Panorama and then configure Panorama to forward logs to the servers.
Refer to Log Forwarding Options for the factors
to consider when deciding where to forward logs.
You can use Secure Copy (SCP) commands from the CLI to
export the entire log database to an SCP server and import it to
another firewall. Because the log database is too large for an export
or import to be practical on the PA-7000 Series firewall, it does
not support these options. You can also use the web interface on
all platforms to View and Manage Reports,
but only on a per log type basis, not for the entire log database.
- Configure a server profile for each external service that will receive log information.You can use separate profiles to send different sets of logs, filtered by log attributes, to a different server. To increase availability, define multiple servers in a single profile.Configure one or more of the following server profiles:
- (Required for SMTP over TLS) If you have not already done so, create a certificate profile for the email server.
- forward-traps-to-an-snmp-manager.html#id74e5f90e-bb00-40ca-82ee-61eed7e27cc8_id14fa1b14-8c6b-4b64-8831-8770c0f0031c To enable the SNMP manager (trap server) to interpret firewall traps, you must load the Palo Alto Networks Supported MIBs into the SNMP manager and, if necessary, compile them. For details, refer to your SNMP management software documentation.
- If the syslog server requires client authentication, you must also 5
- Configure an HTTP server profile (see Forward Logs to an HTTP/S Destination).Log forwarding to an HTTP server is designed for log forwarding at low frequencies and is not recommend for deployments with a high volume of log forwarding. You may experience log loss when forwarding to an HTTP server if your deployment generate a high volume of logs that need to be forwarded.
- Create a Log Forwarding profile.The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
- Select ObjectsLog Forwarding and Add a profile.
- Enter a Name to identify the profile.If you want the firewall to automatically assign the profile to new security rules and zones, enter default. If you don’t want a default profile, or you want to override an existing default profile, enter a Name that will help you identify the profile when assigning it to security rules and zones.If no log forwarding profile named default exists, the profile selection is set to None by default in new security rules (Log Forwarding field) and new security zones (Log Setting field), although you can change the selection.
- Add one or more match list profiles.The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
- Enter a Name to identify the profile.
- Select the Log Type.
- In the Filter drop-down, select Filter Builder. Specify the following and then Add each query:
- Connector logic (and/or)
- Log Attribute
- Operator to define inclusion or exclusion logic
- Attribute Value for the query to match
- Select Panorama if you want to forward logs to Log Collectors or the Panorama management server.
- For each type of external service that you use for monitoring (SNMP, Email, Syslog, and HTTP), Add one or more server profiles.
- (Optional, GlobalProtect Only) If you are using a log forwarding profile with a security policy to automatically quarantine a device using GlobalProtect, select Quarantine in the Built-in Actions area.
- Click OK to save the Log Forwarding profile.
- Assign the Log Forwarding profile to policy rules and network zones.Security, Authentication, and DoS Protection rules support log forwarding. In this example, you assign the profile to a Security rule.Perform the following steps for each rule that you want to trigger log forwarding:
- Select PoliciesSecurity and edit the rule.
- Select Actions and select the Log Forwarding profile you created.
- Set the Profile Type to Profiles or Group, and then select the security profiles or Group Profile required to trigger log generation and forwarding for:
- Threat logs—Traffic must match any security profile assigned to the rule.
- WildFire Submission logs—Traffic must match a WildFire Analysis profile assigned to the rule.
- For Traffic logs, select Log At Session Start and/or Log At Session End.Log At Session Start consumes more resources than logging only at the session end. In most cases, you only Log At Session End. Enable both Log At Session Start and Log At Session End only for troubleshooting, for long-lived tunnel sessions such as GRE tunnels (you can't see these sessions in the ACC unless you log at the start of the session), and to gain visibility into Operational Technology/Industrial Control Systems (OT/ICS) sessions, which are also long-lived sessions.
- Click OK to save the rule.
- Configure the destinations for System, Configuration, Correlation, GlobalProtect, HIP Match, and User-ID logs.Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
- Select DeviceLog Settings.
- For each log type that the firewall will forward, see StepAdd one or more match list profiles.
- (PA-7500 Series firewall only) Configure a log interface to perform log forwarding.LOG-1 and LOG-2 are bundled as a single logical interface called bond1.
- Select DeviceSetupManagement.
- Select the settings gear on the top menu bar of Log Interface.
- Fill in the IP Address, Netmask, and Default Gateway fields.If your network uses IPv6, fill in the IPv6 Address and IPv6 Default Gateway fields instead.The log interface can be configured with either an IPv4 address or an IPv6 address; it cannot have both an IPv4 address and IPv6 address at the same time.
- Specify the Link Speed, Link Duplex, and Link State. These fields default to auto, which specifies that the firewall automatically determines the values based on the connection.
- Click OK to save your changes.
- (PA-7000 Series firewalls with Log Cards only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs and other Management plane logs using the Management interface or service routes. The only way to forward system logs from a PA-7000 Series firewall with a LFC running PAN-OS 10.1 or later is by configuring a log card interface
- Select NetworkInterfacesEthernet and click Add Interface.
- Select the Slot and Interface Name.
- Set the Interface Type to Log Card.
- Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
- Select Advanced and specify the Link Speed, Link Duplex, and Link State.These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).
- Click OK to save your changes.
- (PA-5450 firewall only) Configure a log interface to perform log forwarding.This step is not required if you are forwarding logs to a Panorama or Strata Logging Service using the management interface. The management interface handles log forwarding by default and does not require the log interface to be configured.
- (PAN-OS 10.2.0 and 10.2.1) The management interface handles log forwarding by default unless you configure a specific service route for log forwarding.
- (PAN-OS 10.2.2 and later releases) The management interface handles log forwarding by default unless you configure the log interface or a specific service route for log forwarding. If a log interface is configured and committed, all internal logging, Strata Logging Service, SNMP, HTTP, and Syslog will be forwarded by the log interface.
Ensure that the log interface you are configuring is not in the same subnetwork as the management interface. Configuring both interfaces in the same subnetwork can cause connectivity issues and result in the wrong interface being used for log forwarding.LOG-1 and LOG-2 are bundled as a single logical interface called bond1. Bond1 uses LACP (link aggregation control protocol) as IEEE 802.3ad. Set the Mode for LACP status queries to Active and the Transmission Rate for LACP query and response exchanges to Slow.- Select DeviceSetupManagement.
- Select the settings gear on the top menu bar of Log Interface.
- Fill in the IP Address, Netmask, and Default Gateway fields.If your network uses IPv6, fill in the IPv6 Address and IPv6 Default Gateway fields instead.When the log interface is configured with an IP address, communication between the firewall and Panorama automatically switches from being handled by the management interface (default) to the log interface.
- Specify the Link Speed, Link Duplex, and Link State. These fields default to auto, which specifies that the firewall automatically determines the values based on the connection.
- Click OK to save your changes.
- Commit and verify your changes.
- Commit your changes.
- Verify the log destinations you configured are receiving firewall logs:
- Panorama—If the firewall forwards logs to a Panorama virtual appliance in Panorama mode or to an M-Series appliance, you must configure a Collector Group before Panorama will receive the logs. You can then verify log forwarding.
- Email server—Verify that the specified recipients are receiving logs as email notifications.
- Syslog server—Refer to your syslog server documentation to verify it’s receiving logs as syslog messages.
- SNMP manager—Use an SNMP Manager to Explore MIBs and Objects to verify it’s receiving logs as SNMP traps.
- HTTP server—Forward Logs to an HTTP/S Destination.