Enhanced Application Logs for Palo Alto Networks Cloud Services

Enhanced application logging allows the firewall to collect data that increases visibility into network activity for Palo Alto Networks apps and services.
Examples of the types of data that enhanced application logs gather (that firewall logs do not) includes records of DNS queries, the HTTP header User Agent field that specifies the web browser or tool used to access a URL, and information about DHCP automatic IP address assignment. With DHCP information, for example, Cortex XDR™ can alert on unusual activity based on hostname instead of IP address. This allows the security analyst using Cortex XDR to meaningfully assess whether the user’s activity is within the scope of his or her role, and if not, to more quickly take action to stop the activity.
Enhanced application logs are designed strictly for Palo Alto Networks apps and services to consume and process; you cannot view enhanced application logs on the firewall or Panorama. Only firewalls forwarding logs to Cortex Data Lake can provide enhanced application logs. Additionally, to benefit from the most comprehensive set of enhanced application logs, you should enable User-ID; agent and agentless User-ID deployments both collect some data that is not reflected in the firewall User-ID logs but that is useful towards associating network activity with specific users.
To start forwarding enhanced application logs to Cortex Data Lake, turn on enhanced application logging globally, and then enable it on a per-security rule basis (using a Log Forwarding profile). The global setting is required and captures data for traffic that is not session-based (ARP requests, for example). The per-security policy rule setting is strongly recommended; the majority of enhanced application logs are gathered from the session-based traffic that your security policy rules enforce.
Cortex Data Lake was previously called the Logging Service; you might continue to see references to the Logging Service in the firewall web interface.
  1. Enhanced application logging requires the Palo Alto Networks Logging Service and User-ID is recommended. Here are steps to get started with the Logging Service and enable User-ID.
  2. To
    Enable Enhanced Application Logging
    on the firewall, select
    Device
    Setup
    Management
    Logging Service
    and edit the Logging Service Settings.
    logging-service-enhanced-logging-button.png
  3. Continue to enable enhanced application logging for the security policy rules that control the traffic into which you want extended visibility.
    1. Select
      Objects
      Log Forwarding
      and
      Add
      or modify a log forwarding profile.
    2. Update the profile to
      Enable Enhanced Application Logging to the Logging Service
      .
      forwarding-profile-enhanced-app-logs.png
      Notice that when you enable enhanced application logging in a Log Forwarding profile, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
    3. Click
      OK
      to save the profile and continue to update as many profiles as needed.
    4. Ensure that the Log Forwarding profile that you’ve updated is attached to a security policy rule, to trigger log generation and forwarding for the traffic matched to the rule.
      1. Select
        Policies
        Security
        to view the profiles attached to each security policy rule.
      2. To update the log forwarding profile attached to a rule,
        Add
        or edit a rule and select
        Policies
        Security
        Actions
        Log Forwarding
        and select the Log Forwarding profile enabled with enhanced application logging.

Related Documentation