What Telemetry Data Does the Firewall Collect?
The firewall collects and forwards different sets of telemetry data to Palo Alto Networks based on the Telemetry settings you enable. The firewall collects the data from fields in your log entries (see Log Types and Severity Levels); the log type and combination of fields vary based on the setting. Review the following table before you Enable Telemetry.
The number and size of known applications by destination port, unknown applications by destination port, and unknown applications by destination IP address. The firewall generates these reports from Traffic logs and forwards them every 4 hours.
Threat Prevention Reports
Attacker information, the number of threats for each source country and destination port, and the correlation objects that threat events triggered.The firewall generates these reports from Threat logs and forwards them every 4 hours.
URLs with the following PAN-DB URL categories: malware, phishing, dynamic DNS, proxy-avoidance, questionable, parked, and unknown (URLs that PAN-DB has not yet categorized). The firewall generates these reports from URL Filtering logs.
URL Reports also include PAN-DB statistics such as the version of the URL filtering database on the firewall and on the PAN-DB cloud, the number of URLs in those databases, and the number of URLs that the firewall categorized. These statistics are based on the time that the firewall forwarded the URL Reports.
The firewall forwards URL Reports every 4 hours.
File Type Identification Reports
Threat Prevention Data
Log data from threat events that triggered signatures that Palo Alto Networks is evaluating for efficacy. Threat Prevention Data provides Palo Alto Networks more visibility into your network traffic than other telemetry settings. When enabled, the firewall may collect information such as source or victim IP addresses.
Enabling Threat Prevention Data also allows unreleased signatures that Palo Alto Networks is currently testing to run in the background. These signatures do not affect your security policy rules and firewall logs, and have no impact to your firewall performance.
The firewall forwards Threat Prevention Data every 5 minutes.
Threat Prevention Packet Captures
Packet captures (if you have enabled your firewall to Take a Threat Packet Capture) of threat events that triggered signatures that Palo Alto Networks is evaluating for efficacy. Threat Prevention Packet Captures provide Palo Alto Networks more visibility into your network traffic than other telemetry settings. When enabled, the firewall may collect information such as source or victim IP addresses.
The firewall forwards Threat Prevention Packet Captures every 5 minutes.
Product Usage Statistics
Back traces of firewall processes that have failed, as well as information about the firewall status. Back traces outline the execution history of the failed processes. These reports include details about the firewall model and the PAN-OS and content release versions installed on your firewall.
The firewall forwards Product Usage Statistics every 5 minutes.
Passive DNS Monitoring
Domain-to-IP address mappings based on firewall traffic. When you enable Passive DNS Monitoring, the firewall acts as a passive DNS sensor and send DNS information to Palo Alto Networks for analysis.
The firewall forwards data from Passive DNS Monitoring in 1 MB batches.
Device > Setup > Telemetry
Device > Setup > Telemetry Telemetry is the process of collecting and transmitting data for analysis. When you enable telemetry on the firewall, the firewall ...
Share Threat Intelligence with Palo Alto Networks
Share Threat Intelligence with Palo Alto Networks Telemetry is the process of collecting and transmitting data for analysis. When you enable telemetry on the firewall, ...
Enable Telemetry When you enable telemetry, you define what data the firewall collects and shares with Palo Alto Networks. For some telemetry settings, you can ...
Troubleshoot Content Update Issues
Here’s what you should do to reduce the chance that a content release might impact your network in an unexpected way. ...
Best Practices for Completing the Firewall Deployment
Best Practices for Completing the Firewall Deployment Now that you have integrated the firewall into your network and enabled the basic security features, you can ...
Tools to Avoid or Mitigate Content Update Issues
Tools to Avoid or Mitigate Content Update Issues Palo Alto Networks Application and Threat Content Updates undergo rigorous performance and quality assurance; however, because there ...
Palo Alto Networks Malicious IP Address Feeds
Palo Alto Networks Malicious IP Address Feeds With an active Threat Prevention license, Palo Alto Networks provides two feeds with malicious IP addresses that you ...
Passive DNS Monitoring
Passive DNS Monitoring Passive DNS monitoring enables the firewall to act as a passive DNS sensor and send DNS information to Palo Alto Networks for ...
Get Started with WildFire
Get Started with WildFire The following steps provide a quick workflow to get started with WildFire™. If you’d like to learn more about WildFire before ...