Select Device > Log Settings to configure alarms, clear logs, or enable log forwarding to Panorama and external services.
Select Log Forwarding Destinations
Use this page to forward logs to the following destinations:
Panorama—To specify the address of the Panorama management server, see Panorama Settings: Device > Setup > Management. SNMP trap server —To define the SNMP trap servers, see Device > Server Profiles > SNMP Trap. Syslog server —To define the syslog servers, see Device > Server Profiles > Syslog. Email server —To define the email recipients and servers, see Device > Server Profiles > Email.
To configure destinations for Traffic, Threat and WildFire Submissions logs, see Objects > Log Forwarding.
You can forward the following log types.
Log Type Description
Config logs Record configuration changes to firewall or Panorama. Each entry includes the date and time, the administrator username, the IP address from where the change was made, the type of client (XML, Web or CLI), the type of command executed, whether the command succeeded or failed, the configuration path, and the values before and after the change.
System logs Show system events such as HA failures, link status changes, and administrators logging in and out of the firewall. You can select a different destination for each log severity level: Critical —Hardware failures, including HA failover, and link failures. High —Serious issues, including dropped connections with external devices, such as syslog and RADIUS servers. Medium —Mid-level notifications, such as antivirus package upgrades. Low —Minor severity notifications, such as user password changes. Informational —Log in/log off, administrator name or password change, any configuration change, and all other events not covered by the other severity levels.
Correlation logs The firewall and Panorama log correlation events when the patterns and thresholds defined in a correlation object match the network traffic patterns captured in Application Statistics, Traffic, Threat, Data Filtering, and URL Filtering logs. A correlated event gathers evidence of suspicious or unusual behavior of users or hosts on the network. For details, see Monitor > Automated Correlation Engine. You cannot forward Correlation logs from firewalls to Panorama. Panorama generates Correlation logs based on the firewall logs it receives. You can select a different destination for each log severity level: Critical —Confirms that a host has been compromised based on correlated events that indicate an escalation pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by WildFire exhibits the same command-and-control activity that was observed in the WildFire sandbox for that malicious file. High —Indicates that a host is very likely compromised based on a correlation between multiple threat events, such as malware detected anywhere on the network that matches the command-and-control activity being generated from a particular host. Medium —Indicates that a host is likely compromised based on the detection of one or multiple suspicious events, such as repeated visits to known malicious URLs that suggests a scripted command-and-control activity. Low —Indicates that a host is possibly compromised based on the detection of one or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS domain. Informational —Detects an event that may be useful in aggregate for identifying suspicious activity; each event is not necessarily significant on its own.
HIP Match logs Display traffic flows that match a HIP object or HIP profile. Select Objects > GlobalProtect > HIP Objects to set up a HIP object or select Objects > GlobalProtect > HIP Profiles to create a HIP profile.
Define Alarm Settings
Use the Alarm Settings to configure Alarms for the CLI and the web interface. You can configure notifications for the following events:
A security rule (or group of rules) has been matched at a specified threshold and within a specified time interval. Encryption/Decryption failure threshold is met. The Log database for each log type is nearing full; the quota by default is set to notify when 90% of the available disk space is used. Configuring alarms allows to take action before the disk is full, and logs are purged.
When you enable alarms, you can view the current list by clicking Alarms ( ) in the bottom of the web interface.
To add an alarm, edit the alarm settings.
Alarm Log Setting Description
Enable Alarms Enable alarms based on the events listed on this page. Alarms is visible only when you Enable Alarms.
Enable CLI Alarm Notifications Enable CLI alarm notifications whenever alarms occur.
Enable Web Alarm Notifications Open a window to display alarms on user sessions, including when they occur and when they are acknowledged.
Enable Audible Alarms An audible alarm tone will play every 15 seconds on the administrator's computer when the administrator is logged into the web interface and unacknowledged alarms exist. The alarm tone will play until the administrator acknowledges all alarms. To view and acknowledge alarms, click Alarms. This feature is only available when in the firewall is in FIPS-CC mode.
Encryption/Decryption Failure Threshold Specify the number of encryption/decryption failures after which an alarm is generated.
Log DB Alarm Threshold (% Full) Generate an alarm when a log database reaches the indicated percentage of the maximum size.
Security Policy Limits An alarm is generated if a particular IP address or port hits a deny rule the number of times specified in the Security Violations Threshold setting within the period (seconds) specified in the Security Violations Time Period setting.
Security Policy Group Limits An alarm is generated if the collection of rules reaches the number of rule limit violations specified in the Violations Threshold field during the period specified in the Violations Time Period field. Violations are counted when a session matches an explicit deny policy. Use Security Policy Tags to specify the tags for which the rule limit thresholds will generate alarms. These tags become available to be specified when defining security policies.
Selective Audit The selective audit options are only available when the firewall is in FIPS-CC mode. Specify the following settings: FIPS-CC Specific Logging —Enables verbose logging required for Common Criteria (CC) compliance. Packet Drop Logging —Logs packets dropped by the firewall. Suppress Login Success Logging —Stops logging of successful administrator logins to the firewall. Suppress Login Failure Logging —Stops logging of failed administrator logins to the firewall. TLS Session Logging —Logs the establishment of TLS sessions. CA (OCSP/CRL) Session Establishment Logging —Logs session establishment between the firewall and a certificate authority when the firewall sends a request to check certificate revocation status using the Online Certificate Status Protocol or a Certificate Revocation List server request. (Disabled by default.) IKE Session Establishment Logging —Logs IPSec IKE session establishment when the VPN gateway on the firewall authenticates with a peer. The peer can be a Palo Alto Networks firewalls or another security device used to initiate and terminate VPN connections. The interface name that is specified in the log is the interface that is bound to the IKE gateway. The IKE gateway name is also displayed if applicable. Disabling this option stops logging of all IKE logging events. (Enabled by default.) Suppressed Administrators —Stops logging of changes that the listed administrators make to the firewall configuration.
Clear Logs
You can clear logs on the firewall when you Manage Logs on the Log Settings page. Click the log type you want to clear and click Yes to confirm the request.
To automatically delete logs and reports, you can configure expiration periods. For details, see Logging and Reporting Settings.

Related Documentation