Objects > Log Forwarding

By default, the logs that the firewall generates reside only in its local storage. However, if you want to use Panorama, the Logging Service, or external services (such as a syslog server) to centrally monitor log information, you can define a Log Forwarding profile and assign it to Security, Authentication, and DoS Protection policy rules. Log Forwarding profiles define forwarding destinations for the following Log Types: Traffic, Threat, WildFire Submissions, URL Filtering, Data Filtering, Tunnel Inspection, and Authentication logs.
To forward other log types, see Device > Log Settings.
As of PAN-OS 8.0, Panorama no longer considers a PA-7000 Series firewall as a Log Collector. To enable Panorama to run aggregated reports that include log data from PA-7000 Series firewalls, configure the firewalls to forward logs to Panorama.
To enable a PA-7000 Series firewall to forward logs or forward files to WildFire®, you must first configure a Log Card Interface on the PA-7000 Series firewall. As soon as you configure this interface, the firewall will automatically use this port—there is no special configuration required. Just configure a data port on one of the PA-7000 Series Network Processing Cards (NPCs) as a Log Card interface type and ensure that the network that you use can communicate with your log servers. For WildFire forwarding, the network must communicate successfully with the WildFire cloud or WildFire appliance (or both).
On PA-7000 Series firewalls, you must configure a Log Card Interface for the firewall to forward logs to the following logging destinations: Syslog, HTTP, Email, and SNMP. This is also required to forward files to WildFire. After the port is configured, log forwarding and WildFire forwarding will automatically use this port and there is no special configuration required for this to occur. Just configure a data port on one of the PA-7000 Series NPCs as interface type Log Card and ensure that the network that will be used can communicate with your log servers. For WildFire forwarding, the network must communicate successfully with the WildFire cloud and/or WildFire appliance.
The following table describes the Log Forwarding profile settings:
Log Forwarding Profile Settings
Description
Name
Enter a name (up to 64 characters) to identify the profile. This name appears in the list of Log Forwarding profiles when defining Security policy rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared
Select this option if you want the profile to be available to:
  • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
    Virtual System
    selected in the
    Objects
    tab.
  • Every device group on Panorama. If you clear this selection, the profile will be available only to the
    Device Group
    selected in the
    Objects
    tab.
Disable override
(
Panorama only
)
Select this option to prevent administrators from overriding the settings of this Log Forwarding profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Description
Enter a description to explain the purpose of this Log Forwarding profile.
Match List (unlabeled)
Add
one or more match list profiles (up to 64) that specify forwarding destinations, log attribute-based filters to control which logs the firewall forwards, and actions to perform on the logs (such as automatic tagging). Complete the following two fields for each match list profile.
Name (match list profile)
Enter a name (up to 31 characters) to identify the match list profile.
Description (match list profile)
Enter a description (up to 1,023 characters) to explain the purpose of this match list profile.
Log Type
Select the type of logs to which this match list profile applies:
traffic
,
threat
,
WildFire
,
URL
,
data
,
gtp
,
tunnel
, or authentication (
auth
).
Filter
By default, the firewall forwards
All Logs
of the selected
Log Type
. To forward a subset of the logs, select an existing filter from the drop-down or select
Filter Builder
to add a new filter. For each query in a new filter, specify the following fields and
Add
the query:
  • Connector
    —Select the connector logic (and/or) for the query. Select
    Negate
    if you want to apply negation to the logic. For example, to avoid forwarding logs from an untrusted zone, select
    Negate
    , select
    Zone
    as the Attribute, select
    equal
    as the Operator, and enter the name of the untrusted Zone in the Value column.
  • Attribute
    —Select a log attribute. The available attributes depend on the
    Log Type
    .
  • Operator
    —Select the criterion to determine whether the attribute applies (such as
    equal
    ). The available criteria depend on the
    Log Type
    .
  • Value
    —Specify the attribute value to match.
To display or export TechDocs_logo_cropped.png the logs that the filter matches, select
View Filtered Logs
. This tab provides the same options as the
Monitoring
tab pages (such as
Monitoring
Logs
Traffic
).
Panorama
Select
Panorama
if you want to forward logs to Log Collectors, or the Panorama management server, or to the Logging Service.
If you enable this option, you must configure log forwarding to Panorama TechDocs_logo_cropped.png .
To use the Logging service, you must also
Enable
the Logging Service in Device > Setup > Management.
SNMP
Add
one or more SNMP Trap server profiles to forward logs as SNMP traps (see Device > Server Profiles > SNMP Trap).
Email
Add
one or more Email server profiles to forward logs as email notifications (see Device > Server Profiles > Email).
Syslog
Add
one or more Syslog server profiles to forward logs as syslog messages (see Device > Server Profiles > Syslog).
HTTP
Add
one or more HTTP server profiles to forward logs as HTTP requests (see Device > Server Profiles > HTTP).
Built-in Actions
Add
the action to perform. Add or remove a tag to the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID agent on the firewall or Panorama, or to a remote User-ID agent so that you can respond to an event and dynamically enforce Security policy. The ability to tag an IP address and dynamically enforce policy using dynamic address groups gives you better visibility, context, and control for consistently enforcing Security policy irrespective of where the IP address moves across your network.
Configure the following settings:
  • Add
    an action and enter a name to describe it.
  • Select the target IP address you want to tag—
    Source Address
    or
    Destination Address
    .
You can take an action for all log types that include a source or destination IP address in the log entry. You can tag the source IP address only, in Correlation logs and HIP Match logs; you cannot configure an action for System logs and Configuration logs because the log type does not include an IP address in the log entry.
  • Select the action—
    Add Tag
    or
    Remove Tag
    .
  • Select whether to register the IP address and tag mapping to the
    Local User-ID
    agent on this firewall or Panorama, or to a
    Remote User-ID
    agent.
  • To register the IP address and tag mapping to a
    Remote User-ID
    agent, select the HTTP server profile (Device > Server Profiles > HTTP) that will enable forwarding.
  • Enter or select the
    Tags
    you want to apply or remove from the target source or destination IP address.

Related Documentation