Forward Logs to an HTTP/S Destination
The firewall and Panorama™ can forward logs to an HTTP/S server. You can choose to forward all logs or specific logs to trigger an action on an external HTTP-based service when an event occurs. When forwarding logs to an HTTP server, choose from the following options:
- Configure the firewall to send an HTTP-based API request directly to a third-party service to trigger an action that is based on the attributes in a firewall log. You can configure the firewall to work with any HTTP-based service that exposes an API and you can modify the URL, HTTP header, parameters, and the payload in the HTTP request to meet your integration needs.
- Tag the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID™ agent on the firewall or Panorama, or register to a remote User-ID agent so that you can respond to an event and dynamically enforce security policy. To enforce policy, you must Use Dynamic Address Groups in Policy.
- Create an HTTP server profile to forward logs to an HTTP/S destination.The HTTP server profile allows you to specify how to access the server and define the format in which to forward logs to the HTTP/S destination. By default, the firewall uses the management port to forward these logs. However, you can assign a different source interface and IP address in.DeviceSetupServicesService Route Configuration
- SelectandDeviceServer ProfilesHTTPAdda new profile.
- Specify aNamefor the server profile, and select theLocation. The profile can beSharedacross all virtual systems or can belong to a specific virtual system.
- Addthe details for each server. Each profile can have a maximum of four servers.
- Enter aNameand IPAddress.
- Select theProtocol(HTTPorHTTPS). The defaultPortis 80 or 443 respectively but you can modify the port number to match the port on which your HTTP server listens.
- Select theTLS Versionsupported on the server—1.0,1.1, or1.2(default).
- Select theCertificate Profileto use for the TLS connection with the server.
- Select theHTTP Methodthat the third-party service supports—DELETE,GET,POST(default), orPUT.
- (Optional) Enter theUsernameandPasswordfor authenticating to the server, if needed.
- (Optional) SelectTest Server Connectionto verify network connectivity between the firewall and the HTTP/S server.
- Select thePayload Formatfor the HTTP request.
- Select theLog Typelink for each log type for which you want to define the HTTP request format.
- Select thePre-defined Formats(available through content updates) or create a custom format.If you create a custom format, theURIis the resource endpoint on the HTTP service. The firewall appends the URI to the IP address you defined earlier to construct the URL for the HTTP request. Ensure that the URI and payload format matches the syntax that your third-party vendor requires. You can use any attribute supported on the selected log type within the HTTP Header, the Parameter and Value pairs, and in the request payload.
- Send Test Logto verify that the HTTP server receives the request. When you interactively send a test log, the firewall uses the format as is and does not replace the variable with a value from a firewall log. If your HTTP server sends a 404 response, provide values for the parameters so that the server can process the request successfully.
- Define the match criteria for when the firewall will forward logs to the HTTP server and attach the HTTP server profile you will use.
- Select the log types for which you want to trigger a workflow:
- Add a Log Forwarding Profile () for logs that pertain to user activity (for example, Traffic, Threat, or Authentication logs).ObjectsLog Forwarding
- Selectfor logs that pertain to system events, such as Configuration or System logs.DeviceLog Settings
- Select the Log Type and use the newFilter Builderto define the match criteria.
- Addthe HTTP server profile for forwarding logs to the HTTP destination.
- Add a tag to the source or destination IP address in the log entry. This capability enables you to use dynamic address groups and Security policy rules to limit network access or isolate the IP address until you can triage the affected user device.AddBuilt-in Actions andNamethe action. Select the following options to register the tag on the remote User-ID agent:
- Target—SelectSource AddressorDestination Address.
- Action—SelectAdd Tag.You cannot configure a Timeout with aRemove Tagaction.
- Registration—Register tag to the local User-ID on a firewall or to the Panorama that is managing the firewall.
- Timeout (min)—Enter the amount of time (in minutes) before the firewall removes IP address-to-tag mapping. If you enter a value of zero (0) minutes, the IP address-to-tag mapping does not timeout.You should set the IP-tag timeout to the same amount of time as the DHCP lease timeout for that IP address. This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you do not unintentionally apply policy when the IP address is reassigned.
- Tag—Enter a new tag or select an existing tag.
- Register or unregister a tag on a source or destination IP address in a log entry to a remote User-ID agent.
- Select, specify aDeviceServer ProfilesHTTPNamefor the server profile, and select theLocation. The profile can beSharedacross all virtual systems or can belong to a specific virtual system.
- SelectTag Registrationto enable the firewall to register the IP address and tag mapping with the User-ID agent on a remote firewall. With tag registration enabled, you cannot specify the payload format.
- Add the connection details to access the remote User-ID agent.
- Select the log type (orObjectsLog Forwarding) for which you want to add a tag to the source or destination IP address in the log entry.DeviceLog Settings
- AddBuilt-in Actions andNamethe action. Select the following options to register the tag on the remote User-ID agent:
- Target—SelectSource Addressor .
- Action—SelectAdd TagorRemove Tag.You cannot configure a Timeout with aRemove Tagaction.
- Registration—SelectRemote User-IDagent.
- Timeout (min)—Enter the amount of time (in minutes) before the firewall removes IP address-to-tag mapping. If you enter a value of zero (0) minutes, the IP address-to-tag mapping does not timeout.
- Tag—Enter a new tag or select .
Recommended For You
Recommended videos not found.