What Telemetry Data Does the Firewall Collect?
The firewall collects and forwards different sets of
telemetry data to Palo Alto Networks based on the Telemetry settings
you enable. The firewall collects the data from fields in your log
entries (see Log
Types and Severity Levels); the log type and combination
of fields vary based on the setting. Review the following table
before you Enable
Telemetry.
Setting | Description |
|---|---|
Application Reports | The number and size of known applications
by destination port, unknown applications by destination port, and
unknown applications by destination IP address. The firewall generates
these reports from Traffic logs and forwards them every 4 hours. |
Threat Prevention Reports | Attacker information, the number of threats
for each source country and destination port, and the correlation
objects that threat events triggered.The firewall generates these
reports from Threat logs and forwards them every 4 hours. |
URL Reports | URLs with the following PAN-DB URL categories:
malware, phishing, dynamic DNS, proxy-avoidance, questionable, parked, and
unknown (URLs that PAN-DB has not yet categorized). The firewall
generates these reports from URL Filtering logs. URL Reports
also include PAN-DB statistics such as the version of the URL filtering
database on the firewall and on the PAN-DB cloud, the number of
URLs in those databases, and the number of URLs that the firewall
categorized. These statistics are based on the time that the firewall
forwarded the URL Reports. The firewall forwards URL Reports
every 4 hours. |
File Type Identification Reports | Information about files that the firewall
has blocked or allowed based on data filtering and file blocking settings. The
firewall generates these reports from Data Filtering logs and forwards
them every 4 hours. |
Threat Prevention Data | Log data from threat events that triggered
signatures that Palo Alto Networks is evaluating for efficacy. Threat
Prevention Data provides Palo Alto Networks more visibility into
your network traffic than other telemetry settings. When enabled,
the firewall may collect information such as source or victim IP
addresses. Enabling Threat Prevention Data also allows unreleased
signatures that Palo Alto Networks is currently testing to run in
the background. These signatures do not affect your security policy rules
and firewall logs, and have no impact to your firewall performance. The
firewall forwards Threat Prevention Data every 5 minutes. |
Threat Prevention Packet Captures | Packet captures (if you have enabled your
firewall to Take
a Threat Packet Capture) of threat events that triggered signatures
that Palo Alto Networks is evaluating for efficacy. Threat Prevention
Packet Captures provide Palo Alto Networks more visibility into
your network traffic than other telemetry settings. When enabled,
the firewall may collect information such as source or victim IP
addresses. The firewall forwards Threat Prevention Packet
Captures every 5 minutes. |
Product Usage Statistics | Back traces of firewall processes that have
failed, as well as information about the firewall status. Back traces
outline the execution history of the failed processes. These reports
include details about the firewall model and the PAN-OS and content
release versions installed on your firewall. The firewall
forwards Product Usage Statistics every 5 minutes. |
Passive DNS Monitoring | Domain-to-IP address mappings based on firewall
traffic. When you enable Passive
DNS Monitoring, the firewall acts as a passive DNS sensor
and send DNS information to Palo Alto Networks for analysis. The
firewall forwards data from Passive DNS Monitoring in 1 MB batches. |