Panorama can aggregate firewall and managed collector logs and forward them as SNMP traps, syslog messages, or email notifications to the destinations you select. Before starting, you must define server profiles for the destinations (see Device > Server Profiles > SNMP Trap, Device > Server Profiles > Syslog, and Device > Server Profiles > Email).
On a Panorama virtual appliance, use the Log Settings page to enable forwarding of firewall logs, managed collector logs, and local Panorama logs. On an M-Series appliance in Panorama mode, use the page to enable forwarding of the logs that Panorama and Log Collectors generate, but “Configure a Collector Group” to enable forwarding of firewall logs.
The following table describes the logs and forwarding options on the Log Settings page.
HIP Match, Traffic, Threat, and WildFire™ logs apply only to firewalls, and therefore will not appear on this page if you use an M-Series appliance in Panorama mode. The Panorama virtual appliance displays all log types.
Log Settings Section Description
System To enable log forwarding for a particular severity level, click that level in the Severity column and select the desired server profiles. The severity indicates the urgency and impact of the system event: Critical—Indicates a failure and the need for immediate attention (for example, hardware failures, including HA failover and link failures). High—Indicates an impending failure or condition that can impair the operational efficiency or security of the firewall (for example, dropped connections with external servers such as LDAP and RADIUS servers). Medium—Indicates a condition that can escalate into a more serious issue, such as a failure to complete an antivirus package upgrade. Low—Indicates something that might be a problem or is likely to become a problem, such as user password changes. Informational—Requires no attention. These logs provide useful information during normal operation of the system. This level covers configuration changes and all other events that other severity levels do not cover.
Correlation Correlation logs are created when the definition for a correlation object matches traffic patterns on your network. For information on correlation objects, see Monitor > Automated Correlation Engine. Panorama uses the correlation objects to query the aggregated logs (forwarded to it from the managed firewalls and log collectors) for matches and logs the correlation events. These correlation events can be sent as syslog messages, email notifications, or as SNMP traps. To enable log forwarding for a particular severity level, click that level in the Severity column and select the desired server profiles. The severity indicates the urgency and impact of the match; it broadly assesses the extent of damage or escalation pattern observed, and the frequency of occurrence. Because correlation objects are focused on detecting threats, the correlated events typically relate to identifying compromised hosts on the network and the severity implies the following: Critical—Confirms that a host has been compromised based on correlated events that indicate an escalation pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by WildFire, exhibits the same command-and-control activity that was observed in the WildFire sandbox for that malicious file. High—Indicates that a host is very likely compromised based on a correlation between multiple threat events, such as malware detected anywhere on the network that matches the command-and-control activity being generated from a particular host. Medium—Indicates that a host is likely compromised based on the detection of one or multiple suspicious events, such as repeated visits to known malicious URLs that suggests a scripted command-and-control activity. Low—Indicates that a host is possibly compromised based on the detection of one or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS domain. Informational—Detects an event that may be useful in aggregate for identifying suspicious activity; each event is not necessarily significant on its own.
Threat To enable log forwarding for a particular severity level, click that level in the Severity column and select the desired server profiles. The severity indicates the urgency and impact of the threat: Critical—Serious threats such as those that affect default installations of widely deployed software, result in root compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims and the target does not need to be manipulated into performing any special functions. High—Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. Medium—Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access. In addition, WildFire log entries with a malware verdict are logged as Medium. Low—Warning-level threats that have very little impact on the infrastructure of an organization. They usually require local or physical system access and can often result in victim privacy or DoS issues and information leakage. Data Filtering profile matches are logged as Low. Informational—Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist. Some examples of information logs are—URL Filtering log entries, WildFire log entries with a benign verdict, or Data Filtering logs.
Config Config logs record all changes to the firewall or Panorama configuration. To enable forwarding, edit Config settings and select the desired server profiles.
HIP Match The HIP match log lists the host information profile (HIP) match requests for GlobalProtect™. To enable forwarding, edit the HIP Match settings and select the desired server profiles.
Traffic Traffic logs capture details (for example, origin and destination) of traffic that matches a policy. To enable forwarding, edit the Traffic settings and select the desired server profiles.
WildFire WildFire scans files and assigns a verdict. To enable log forwarding for a particular verdict, click that verdict in the Verdict column and select the desired server profiles. The verdicts are: benign—Indicates that the file is safe. grayware—Indicates that the file has suspicious qualities or behavior but is not malicious. malicious—Indicates that the file contains malicious code.

Related Documentation