Enhanced Application Logs for Palo Alto Networks Cloud Services
Enhanced application logging allows the firewall to collect data specifically intended to increase visibility into network activity for apps running in the Palo Alto Networks Cloud Services environment.
Examples of the types of data that enhanced application logs gather (that firewall logs do not) includes records of DNS queries, the HTTP header User Agent field that specifies the web browser or tool used to access a URL, and information about DHCP automatic IP address assignment. With DHCP information, for example, Cortex XDR™ – Analytics—the Palo Alto Networks behavior analytics app—can alert on unusual activity based on hostname instead of IP address. This allows the security analyst using Cortex XDR – Analytics to meaningfully assess whether the user’s activity is within the scope of his or her role, and if not, to more quickly take action to stop or mediate the activity.
Enhanced application logs are designed strictly for Palo Alto Networks Cloud Services apps to consume and process; you cannot view enhanced application logs on the firewall or Panorama. Only firewalls forwarding logs to the Logging Service—which provides cloud-based, centralized log storage and aggregation—can provide enhanced application logs. Additionally, to benefit from the most comprehensive set of enhanced application logs, you should enable User-ID; agent and agentless User-ID deployments both collect some data that is not reflected in the firewall User-ID logs but that is useful towards associating network activity with specific users.
To start forwarding enhanced application logs to the Logging Service, turn on enhanced application logging globally, and then enable it on a per-security rule basis (using a Log Forwarding profile). The global setting is required and captures data for traffic that is not session-based (ARP requests, for example). The per-security policy rule setting is strongly recommended; the majority of enhanced application logs are gathered from the session-based traffic that your security policy rules enforce.
- Enhanced application logging requires the Palo Alto Networks Logging Service and User-ID is recommended. Here are steps to get started with the Logging Service and enable User-ID.
- To Enable Enhanced Application Logging on the firewall, select DeviceSetupManagementLogging Service and edit the Logging Service Settings.
- Continue to enable enhanced application logging for the
security policy rules that control the traffic into which you want
- Select ObjectsLog Forwarding and Add or modify a log forwarding profile.
- Update the profile to Enable Enhanced Application
Logging to the Logging Service.Notice that when you enable enhanced application logging in a Log Forwarding profile, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- Click OK to save the profile and continue to update as many profiles as needed.
- Ensure that the Log Forwarding profile that you’ve
updated is attached to a security policy rule, to trigger log generation
and forwarding for the traffic matched to the rule.
- Select PoliciesSecurity to view the profiles attached to each security policy rule.
- To update the log forwarding profile attached to a rule, Add or edit a rule and select PoliciesSecurityActionsLog Forwarding and select the Log Forwarding profile enabled with enhanced application logging.
Objects > Log Forwarding
Objects > Log Forwarding By default, the logs that the firewall generates reside only in its local storage. However, you can use Panorama™, the Logging ...
Subscriptions You Can Use With the Firewall
Subscriptions You Can Use With the Firewall The following Palo Alto Networks subscriptions unlock certain firewall features or enable the firewall to leverage a Palo ...
Device > Setup > Management
Device > Setup > Management Device Setup Management Panorama Setup Management On a firewall, select Device Setup Management to configure management settings. On Panorama™, select ...
Configure the Palo Alto Networks Terminal Services Agent fo...
Configure the Palo Alto Networks Terminal Services Agent for User Mapping Use the following procedure to install and configure the TS agent on the terminal ...
Centralized Logging and Reporting
Centralized Logging and Reporting Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on the network. It also provides an ...
Manage Log Collection
Manage Log Collection All Palo Alto Networks firewalls can generate logs that provide an audit trail of firewall activities. For Centralized Logging and Reporting , ...
Install the Windows-Based User-ID Agent
Install the Windows-Based User-ID Agent The following procedure shows how to install the User-ID agent on a member server in the domain and set up ...
Forward Logs to the Logging Service
Forward Logs to the Logging Service The Logging Service is Palo Alto Networks’ cloud-based logging infrastructure. Before you can configure your managed firewalls to send ...
Create HTTP Header Insertion Entries using Predefined Types
You can create HTTP Header Insertion rules based on types that are predefined by Palo Alto Networks® for popular SaaS applications. ...