Each Security policy can specify a log
forwarding profile that determines whether traffic, threat, and WildFire Submissions log entries are logged remotely with Panorama, and/or sent as SNMP traps, syslog messages, or email notifications:
Traffic logs record information about each traffic flow.
Threat logs record the threats or problems with the network traffic, such as virus or spyware detection. Note that the Antivirus, Anti-Spyware, and Vulnerability Protection profiles associated with each rule determine which threats are logged (locally or remotely).
WildFire Submissions logs record the files and email links that the firewall forwards for WildFire analysis, including the WildFire verdict for each sample (benign, grayware, or malicious).
By default, the firewall on performs local logging. To enable a log forwarding profile, attach it to a
Policies > Security rule.
On a PA-7000 Series firewalls, you must configure a
Log Card Interface before the firewall will forward the following log types: Syslog, Email, and SNMP. This is also required to forward files to WildFire. After the port is configured, log forwarding and WildFire forwarding will automatically use this port and there is no special configuration required for this to occur. Just configure a data port on one of the PA-7000 Series NPCs as interface type Log Card and ensure that the network that will be used can communicate with your log servers. For WildFire forwarding, the network will need to communicate with the WildFire cloud and/or WildFire appliance.
PA-7000 Series firewalls cannot forward logs to Panorama, only to external services. However, when you use Panorama to monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the firewall in real-time to display its log data.
The following table describes the log forwarding settings.
Log Forwarding Profile Setting
Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select this option if you want the profile to be available to:
Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
selected in the
Every device group on Panorama. If you clear this selection, the profile will be available only to the
selected in the
Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Select this option to enable sending traffic log entries to the Panorama centralized management system. To define the Panorama server address, refer to
Device > Setup > Management.
Click this option for each severity level of the threat log entries to be sent to Panorama. The severity levels are:
—Very serious attacks detected by the threat security engine.
—Major attacks detected by the threat security engine.
—Minor attacks detected by the threat security engine.
—Warning-level attacks detected by the threat security engine.
—All other events including URL blocking and informational attack object matches that are not covered by the other severity levels.