Each Security policy can specify a log forwarding profile that determines whether traffic, threat, and WildFire Submissions log entries are logged remotely with Panorama, and/or sent as SNMP traps, syslog messages, or email notifications:
Traffic logs record information about each traffic flow. Threat logs record the threats or problems with the network traffic, such as virus or spyware detection. Note that the Antivirus, Anti-Spyware, and Vulnerability Protection profiles associated with each rule determine which threats are logged (locally or remotely). WildFire Submissions logs record the files and email links that the firewall forwards for WildFire analysis, including the WildFire verdict for each sample (benign, grayware, or malicious).
By default, the firewall on performs local logging. To enable a log forwarding profile, attach it to a Policies > Security rule.
On a PA-7000 Series firewalls, you must configure a Log Card Interface before the firewall will forward the following log types: Syslog, Email, and SNMP. This is also required to forward files to WildFire. After the port is configured, log forwarding and WildFire forwarding will automatically use this port and there is no special configuration required for this to occur. Just configure a data port on one of the PA-7000 Series NPCs as interface type Log Card and ensure that the network that will be used can communicate with your log servers. For WildFire forwarding, the network will need to communicate with the WildFire cloud and/or WildFire appliance. PA-7000 Series firewalls cannot forward logs to Panorama, only to external services. However, when you use Panorama to monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the firewall in real-time to display its log data.
The following table describes the log forwarding settings.
Log Forwarding Profile Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared Select this option if you want the profile to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Traffic Settings
Panorama Select this option to enable sending traffic log entries to the Panorama centralized management system. To define the Panorama server address, refer to Device > Setup > Management.
SNMP TrapEmailSyslog Select the SNMP, syslog, and/or email settings that specify additional destinations where the traffic log entries are sent. To define new destinations, refer to: Device > Server Profiles > SNMP Trap Device > Server Profiles > Email Device > Server Profiles > Syslog
Threat Settings
Panorama Click this option for each severity level of the threat log entries to be sent to Panorama. The severity levels are: Critical —Very serious attacks detected by the threat security engine. High —Major attacks detected by the threat security engine. Medium —Minor attacks detected by the threat security engine. Low —Warning-level attacks detected by the threat security engine. Informational —All other events including URL blocking and informational attack object matches that are not covered by the other severity levels.
SNMP TrapEmailSyslog Under each severity level, select the SNMP, syslog, and/or email settings that specify additional destinations where the threat log entries are sent. To define new destinations, refer to: Device > Server Profiles > SNMP Trap Device > Server Profiles > Email Device > Server Profiles > Syslog
WildFire Settings
Panorama Enable the firewall to forward WildFire Submissions log entries to Panorama, based on the WildFire verdict of the submitted file or email link.
SNMP TrapEmailSyslog For each WildFire verdict, select the SNMP, syslog, and/or email settings to specify destinations to send WildFire Submissions logs. To define new destinations, refer to: Device > Server Profiles > SNMP Trap Device > Server Profiles > Email Device > Server Profiles > Syslog

Related Documentation