1. Home
    2. PAN-OS
    3. PAN-OS Administrator's Guide
    4. Monitoring
    5. Configure Log Forwarding

    Configure Log Forwarding

    To use Panorama or Use External Services for Monitoring the firewall, you must configure the firewall to forward its logs. Before forwarding to external services, the firewall automatically converts the logs to the necessary format: syslog messages, SNMP traps, or email notifications. Before starting this procedure, ensure that Panorama or the external server that will receive the log data is already set up.
    The PA-7000 Series firewall can’t forward logs to Panorama, only to external services. However, when you use Panorama to monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the PA-7000 Series firewall in real-time to display its log data.
    You can forward logs from the firewalls directly to external services or from the firewalls to Panorama and then configure Panorama to forward logs to the servers. Refer to Log Forwarding Options for the factors to consider when deciding where to forward logs.
    You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another firewall. Because the log database is too large for an export or import to be practical on the PA-7000 Series firewall, it does not support these options. You can also use the web interface on all platforms to Manage Reporting, but only on a per log type basis, not the entire log database.
    1. Configure a server profile for each external service that will receive log data.
      You can use separate profiles to send each log type to a different server. To increase availability, define multiple servers in a single profile.
    2. Create a log forwarding profile.
      The profile defines the destinations for Traffic, Threat, and WildFire Submission logs. (Threat logs include URL Filtering and Data Filtering logs.)
      1. Select
        Objects
        Log Forwarding
         and click
        Add
        .
      2. Enter a
        Name
         to identify the profile. If you want the firewall to automatically assign the profile to new security rules and zones, enter
        default
        . If you don’t want a default profile, or you want to override an existing default profile, enter a
        Name
         that will help you identify the profile when assigning it to security rules and zones.
        If no log forwarding profile named
        default
         exists, the profile selection is set to
        None
         by default in new security rules (
        Log Forwarding
         field) and new security zones (
        Log Setting
         field), although you can change the selection.
      3. Perform the following steps for each log type and each severity level or WildFire verdict:
        1. Select the
          Panorama
           check box if you want to aggregate firewall logs on Panorama. (You can then configure Panorama to forward the logs to external services.)
        2. Select the
          SNMP Trap
          ,
          Email
          , or
          Syslog
           server profile you configured for this log type, and click
          OK
          .
    3. Assign the log forwarding profile to security rules.
      To trigger log generation and forwarding, the rules require certain Security Profiles according to log type:
      • Traffic logs—No security profile is necessary; the traffic only needs to match a specific security rule.
      • Threat logs—The traffic must match any security profile assigned to a security rule.
      • WildFire logs—The traffic must match a WildFire Analysis profile assigned to a security rule.
      Perform the following steps for each rule that will trigger log forwarding:
      1. Select
        Policies
        Security
         and click the rule.
      2. Select the
        Actions
         tab and select the
        Log Forwarding
         profile you just created.
      3. In the
        Profile Type
         drop-down, select
        Profiles
         or
        Group
        , and then select the security profiles or
        Group Profile
         required to trigger log generation and forwarding.
      4. For Traffic logs, select one or both of the
        Log At Session Start
         and
        Log At Session End
         check boxes, and click
        OK
        .
    4. Configure the destinations for System, Config, HIP Match, and Correlation logs.
      1. Select
        Device
        Log Settings
        .
      2. Perform the following steps for each log type. For System and Correlation logs, start by clicking the Severity level. For Config and HIP Match logs, start by editing the section.
        1. Select the
          Panorama
           check box if you want to aggregate System, Config, and HIP Match logs on Panorama. Optionally, you can then configure Panorama to forward the logs to the external services.
          Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
        2. Select the
          SNMP Trap
          ,
          Email
          , or
          Syslog
           server profile you configured for this log type and click
          OK
          .
    5. (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
      1. Select
        Network
        Interfaces
        Ethernet
         and click
        Add Interface
        .
      2. Select the
        Slot
         and
        Interface Name
        .
      3. For the
        Interface Type
        , select
        Log Card
        .
      4. Enter the
        IP Address
        ,
        Default Gateway
        , and (for IPv4 only)
        Netmask
        .
      5. Select
        Advanced
         and specify the
        Link Speed
        ,
        Link Duplex
        , and
        Link State
        .
        These fields default to
        auto
        , which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended
        Link Speed
         for any connection is
        1000
         (Mbps).
      6. Click
        OK
         to save your changes.
    6. Commit and verify your changes.
      1. Click
        Commit
         to complete the log forwarding configuration.
      2. Verify the log destinations you configured are receiving firewall logs:
        • Panorama—If the firewall forwards logs to an M-Series appliance, you must configure a Collector Group before Panorama will receive the logs. You can then verify log forwarding.
        • Email server—Verify that the specified recipients are receiving logs as email notifications.
        • Syslog server—Refer to the documentation for your syslog server to verify it is receiving logs as syslog messages.
        • SNMP manager—Use an SNMP Manager to Explore MIBs and Objects to verify it is receiving logs as SNMP traps.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo