Configure Log Forwarding
In an environment where you use multiple firewalls to control and analyze network traffic, any single firewall can display logs and reports only for the traffic it monitors. Because logging in to multiple firewalls can make monitoring a cumbersome task, you can more efficiently achieve global visibility into network activity by forwarding the logs from all firewalls to Panorama or external services. If you Use External Services for Monitoring, the firewall automatically converts the logs to the necessary format: syslog messages, SNMP traps, email notifications, or as an HTTP payload to send the log details to an HTTP(S) server. In cases where some teams in your organization can achieve greater efficiency by monitoring only the logs that are relevant to their operations, you can create forwarding filters based on any log attributes (such as threat type or source user). For example, a security operations analyst who investigates malware attacks might be interested only in Threat logs with the type attribute set to wildfire-virus.
You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another firewall. Because the log database is too large for an export or import to be practical on the PA-7000 Series firewall, it does not support these options. You can also use the web interface on all platforms to View and Manage Reports, but only on a per log type basis, not for the entire log database.
- Configure a server profile for each external service that will receive log information.You can use separate profiles to send different sets of logs, filtered by log attributes, to a different server. To increase availability, define multiple servers in a single profile.Configure one or more of the following server profiles:
- If the syslog server requires client authentication, you must also Create a certificate to secure syslog communication over TLSv1.2.
- Configure an HTTP server profile (see Forward Logs to an HTTP(S) Destination).
- Create a Log Forwarding profile.The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
- SelectandObjectsLog ForwardingAdda profile.
- Enter aNameto identify the profile.If you want the firewall to automatically assign the profile to new security rules and zones, enterdefault. If you don’t want a default profile, or you want to override an existing default profile, enter aNamethat will help you identify the profile when assigning it to security rules and zones.If no log forwarding profile nameddefaultexists, the profile selection is set toNoneby default in new security rules (Log Forwardingfield) and new security zones (Log Settingfield), although you can change the selection.
- Addone or morematch list profiles.The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
- Enter aNameto identify the profile.
- Select theLog Type.
- In theFilterdrop-down, selectFilter Builder. Specify the following and thenAddeach query:
- Connectorlogic (and/or)
- Operatorto define inclusion or exclusion logic
- AttributeValuefor the query to match
- Select Panorama if you want to forward logs to Log Collectors or the Panorama management server.
- For each type of external service that you use for monitoring (SNMP, Email, Syslog, and HTTP),Addone or more server profiles.
- ClickOKto save the Log Forwarding profile.
- Assign the Log Forwarding profile to policy rules and network zones.Security, Authentication, and DoS Protection rules support log forwarding. In this example, you assign the profile to a Security rule.Perform the following steps for each rule that you want to trigger log forwarding:
- Selectand edit the rule.PoliciesSecurity
- SelectActionsand select theLog Forwardingprofile you created.
- Set theProfile TypetoProfilesorGroup, and then select the security profiles orGroup Profilerequired to trigger log generation and forwarding for:
- For Traffic logs, selectLog At Session Startand/orLog At Session End.
- ClickOKto save the rule.
- Configure the destinations for System, Configuration, User-ID, HIP Match, and Correlation logs.Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
- Select.DeviceLog Settings
- For each log type that the firewall will forward, see Step Add one or more match list profiles.
- (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
- Selectand clickNetworkInterfacesEthernetAdd Interface.
- Select theSlotandInterface Name.
- Set theInterface TypetoLog Card.
- Enter theIP Address,Default Gateway, and (for IPv4 only)Netmask.
- SelectAdvancedand specify theLink Speed,Link Duplex, andLink State.These fields default toauto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommendedLink Speedfor any connection is1000(Mbps).
- ClickOKto save your changes.
- Commit and verify your changes.
- Commityour changes.
- Verify the log destinations you configured are receiving firewall logs:
- Email server—Verify that the specified recipients are receiving logs as email notifications.
- Syslog server—Refer to your syslog server documentation to verify it’s receiving logs as syslog messages.
Recommended For You
Recommended videos not found.