The following topics provide additional information about monitoring logs.
What do you want to know? See:
Tell me about the different types of logs. Log Types
Filter logs. Log Actions
Export logs.
View details for individual log entries.
Modify the log display.
Find AutoFocus threat intelligence related to logs. AutoFocus Threat Data for Log Artifacts
Looking for more? Monitor and manage logs
Log Types
The firewall displays all logs so that role-based administration permissions are respected. Only the information that you have permission to see is included, and this might vary depending on the types of logs you are viewing. For information on administrator permissions, refer to Device > Admin Roles.
Log Type Description
Traffic Displays an entry for the start and end of each session. Each entry includes the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action ( allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason. Note that the Type column indicates whether the entry is for the start or end of the session, or whether the session was denied or dropped. A “drop” indicates that the security rule that blocked the traffic specified “any” application, while a “deny” indicates the rule identified a specific application. If traffic is dropped before the application is identified, such as when a rule drops all traffic for a specific service, the application is shown as “not-applicable”. Drill down in traffic logs for more details on individual entries and artifacts: Click Details ( ) to view additional details about the session, such as whether an ICMP entry aggregates multiple sessions between the same source and destination (the Count value will be greater than one). On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts of that artifact.
Threat Displays an entry for each security alarm generated by the firewall. Each entry includes the date and time, a threat name or URL, the source and destination zones, addresses, and ports, the application name, and the alarm action ( allow or block) and severity. Note that the Type column indicates the type of threat, such as “virus” or “spyware.” The Name column is the threat description or URL, and the Category column is the threat category (such as “keylogger”) or URL category. Drill down in threat logs for more details on individual entries and artifacts: Click Details ( ) to view additional details about the threat, such as whether the entry aggregates multiple threats of the same type between the same source and destination (the Count value will be greater than one). On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts of that artifact. If local packet captures are enabled, click Download ( ) to access captured packets. To enable local packet captures, refer to the subsections under Objects > Security Profiles. To view more details about a threat or to quickly configure threat exemptions directly from the threat logs, click the threat name in the Name column. The Exempt Profiles list shows all custom Antivirus, Anti-spyware, and Vulnerability protection profiles. To configure an exemption for a threat signature, select the check box to the left of the security profile name and save your change. To add exemptions for IP Addresses (up to 100 IP addresses per signature), highlight the security profile, add the IP address(s) in the Exempt IP Addresses section and click OK to save. To view or modify the exemption, go to the associated security profile and click the Exceptions tab. For example, if the threat type is vulnerability, select Objects > Security Profiles > Vulnerability Protection, click the associated profile then click the Exceptions tab.
URL Filtering Displays logs for URL filters, which block access to specific web sites and web site categories or generate an alert when a web site is accessed. You can enable logging of the HTTP header options for the URL. Refer to Objects > Security Profiles > URL Filtering for information on defining URL filtering profiles. On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts of that artifact.
WildFire Submissions Displays logs for files that are uploaded and analyzed by the WildFire server. The server returns log data to the firewall after analysis, along with the analysis results. On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash (in the File Digest column) contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts for the artifact.
Data Filtering Displays logs for the security policies with attached Data Filtering profiles, to help prevent sensitive information such as credit card or social security numbers from leaving the area protected by the firewall, and File Blocking profiles, that prevent certain file types from being uploaded or downloaded. To configure password protection for access the details for a log entry, click . Enter the password and click OK. Refer to Device > Response Pages for instructions on changing or deleting the data protection password. The system prompts you to enter the password only once per session.
Configuration Displays an entry for each configuration change. Each entry includes the date and time, the administrator user name, the IP address from where the change was made, the type of client (web interface or CLI), the type of command executed, whether the command succeeded or failed, the configuration path, and the values before and after the change.
System Displays an entry for each system event. Each entry includes the date and time, the event severity, and an event description.
HIP Match Displays information about security policies that apply to GlobalProtect™ clients. For more information, refer to Network > GlobalProtect > Portals.
Alarms The alarms log records detailed information on alarms that are generated by the system. The information in this log is also reported in Alarms. Refer to Define Alarm Settings.
Unified Displays the latest Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering log entries in a single view. The collective log view enables you to investigate and filter these different types of logs together (instead of searching each log set separately). Or, you can choose which log types to display: click the arrow to the left of the filter field and select traffic, threat, url, data, and/or wildfire to display only the selected log types. On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts for that artifact. The firewall displays all logs so that role-based administration permissions are respected. When viewing Unified logs, only the logs that you have permission to see are displayed. For example, an administrator who does not have permission to view WildFire Submissions logs will not see WildFire Submissions log entries when viewing Unified logs. For information on administrator permissions, refer to Device > Admin Roles. You can use the Unified log set with the AutoFocus threat intelligence portal. Set up an AutoFocus search to add AutoFocus search filters directly to the Unified log filter field.
Log Actions
The following table describes log actions.
Action Description
Filter Logs Each log page has a filter field at the top of the page. You can add artifacts to the field, such as an IP address or a time range, to find matching log entries. The icons to the right of the field enable you to apply, clear, create, save, and load filters.
Create a filter: Click an artifact in a log entry to add that artifact to the filter. Click Add ( ) to define new search criteria. For each criterion, select the Connector that defines the search type ( and or or), the Attribute on which to base the search, an Operator to define the scope of the search, and a Value for evaluation against log entries. Add each criterion to the filter field and Close when you finish. You can then apply ( ) the filter. If the Value string matches an Operator (such as has or in), enclose the string in quotation marks to avoid a syntax error. For example, if you filter by destination country and use IN as a Value to specify INDIA, enter the filter as ( dstloc eq "IN" ) . The log filter (receive_time in last-60-seconds) causes the number of log entries (and log pages) displayed to grow or shrink over time. Apply filters—Click Apply Filter ( ) to display log entries that match the current filter. Delete filters—Click Clear Filter ( ) to clear the filter field. Save a filter—Click Save Filter ( ), enter a name for the filter, and click OK. Use a saved filter—Click Load Filter ( ) to add a saved filter to the filter field.
Export Logs Click Export to CSV ( ) to export all logs matched to the current filter to a CSV-formatted report and continue to Download file. By default, the report contains up to 2,000 lines of logs. To change the line limit for generated CSV reports, select Device > Setup > Management > Logging and Reporting Settings > Log Export and Reporting and enter a new Max Rows in CSV Export value.
Change Log Display Change the automatic refresh interval—Select an interval from the interval drop-down ( 60 seconds, 30 seconds, 10 seconds, or Manual). Change the number and order of entries displayed per page—Log entries are retrieved in blocks of 10 pages. Use the paging controls at the bottom of the page to navigate through the log list. To change the number of log entries per page, select the number of rows from the per page drop-down ( 20, 30, 40, 50, 75, or 100). To sort the results in ascending or descending order, use the ASC or DESC drop-down. Resolve IP addresses to domain names—Select Resolve Hostname to begin resolving external IP addresses to domain names. Change the order in which logs are displayed—Select DESC to display logs in descending order beginning with log entries with the most recent Receive Time. Select ASC to display logs in ascending order beginning with log entries with the oldest Receive Time.
View Details for Individual Log Entries To display additional details, click Details ( ) for an entry. If the source or destination has an IP address to domain or username mapping defined in the Addresses page, the name is presented instead of the IP address. To view the associated IP address, move your cursor over the name. On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down ( ) to open the AutoFocus Threat Data for Log Artifacts for the artifact.
AutoFocus Threat Data for Log Artifacts
Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs include AutoFocus threat intelligence data to provide context for certain artifacts found in log entries, such as an IP address or a filename. In order to access the AutoFocus threat summary in firewall logs, first make sure that you have set up the firewall connection to AutoFocus ( Device > Setup > Management > AutoFocus).
With Panorama, this feature allows you to view AutoFocus threat intelligence even for log entries from firewalls that are not connected to AutoFocus and/or are running PAN-OS 7.0 and earlier release versions.
When viewing the supported log types, click the drop-down ( ) for the following artifacts in a log entry to find the latest AutoFocus findings and statistics for that artifact:
An IP address. A URL. A user agent. (In Data Filtering logs, the user agent can be found in the User Agent column). A filename. A threat name. A SHA-256 hash. (In WildFire Submissions logs, the SHA-256 hashes for files the firewall submits to WildFire display in the File Digest column).
You can then review the AutoFocus Threat Intelligence Summary to quickly assess the pervasiveness and risk of an artifact. Click the link in the AutoFocus summary to open an AutoFocus search from the firewall. The AutoFocus portal opens in a new browser tab with the firewall artifact added as a search condition.
The AutoFocus summary for log artifacts previews the following details.
Field Description
Passive DNS Displays IP addresses, domains, URLs, and any recent passive DNS history for the artifact.
Matching Tags Displays AutoFocus tags matched to the artifact. AutoFocus tags include your organization tags, public tags (tags shared by other AutoFocus users), and Unit 42 tags (tags that Palo Alto Networks creates to identify threats that pose a direct security risk).
Sessions Displays the number of private sessions where detected samples contained the artifact. Private sessions are sessions running only on firewalls associated with your support account.
WildFire Verdicts Displays the number of public and private grayware, benign, and malware samples with the artifact.
Recent WildFire Verdicts Displays the latest private samples with which WildFire detected the artifact (including the sample file type, the date the sample was detected, and the WildFire verdict for the sample). Private samples are samples detected only on firewalls associated with your support account.

Related Documentation