Forward Logs to an HTTP/S Destination

Create an HTTP server profile to forward logs to an HTTP/S destination.
The firewall and Panorama™ can forward logs to an HTTP/S server. You can choose to forward all logs or specific logs to trigger an action on an external HTTP-based service when an event occurs. When forwarding logs to an HTTP server, configure the firewall to send an HTTP-based API request directly to a third-party service to trigger an action that is based on the attributes in a firewall log. You can configure the firewall to work with any HTTP-based service that exposes an API and you can modify the URL, HTTP header, parameters, and the payload in the HTTP request to meet your integration needs.
  1. Create an HTTP server profile to forward logs to an HTTP/S destination.
    The HTTP server profile allows you to specify how to access the server and define the format in which to forward logs to the HTTP/S destination. By default, the firewall uses the management port to forward these logs. However, you can assign a different source interface and IP address in
    Service Route Configuration
    1. Select
      Server Profiles
      a new profile.
    2. Specify a
      for the server profile, and select the
      . The profile can be
      across all virtual systems or can belong to a specific virtual system.
    3. Add
      the details for each server. Each profile can have a maximum of four servers.
    4. Enter a
      and IP
    5. Select the
      ). The default
      is 80 or 443 respectively but you can modify the port number to match the port on which your HTTP server listens.
    6. Select the
      TLS Version
      supported on the server—
      , or
    7. Select the
      Certificate Profile
      to use for the TLS connection with the server.
    8. Select the
      HTTP Method
      that the third-party service supports—
      (default), or
    9. (Optional) Enter the
      for authenticating to the server, if needed.
    10. (Optional) Select
      Test Server Connection
      to verify network connectivity between the firewall and the HTTP/S server.
  2. Select the
    Payload Format
    for the HTTP request.
    1. Select the
      Log Type
      link for each log type for which you want to define the HTTP request format.
    2. Select the
      Pre-defined Formats
      (available through content updates) or create a custom format.
      If you create a custom format, the
      is the resource endpoint on the HTTP service. The firewall appends the URI to the IP address you defined earlier to construct the URL for the HTTP request. Ensure that the URI and payload format matches the syntax that your third-party vendor requires. You can use any attribute supported on the selected log type within the HTTP Header, the Parameter and Value pairs, and in the request payload.
    3. Send Test Log
      to verify that the HTTP server receives the request. When you interactively send a test log, the firewall uses the format as is and does not replace the variable with a value from a firewall log. If your HTTP server sends a 404 response, provide values for the parameters so that the server can process the request successfully.
  3. Define the match criteria for when the firewall will forward logs to the HTTP server and attach the HTTP server profile you will use.
    1. Select the log types for which you want to trigger a workflow:
      • Add a Log Forwarding Profile (
        Log Forwarding
        ) for logs that pertain to user activity (for example, Traffic, Threat, or Authentication logs).
      • Select
        Log Settings
        for logs that pertain to system events, such as Configuration or System logs.
    2. Select the Log Type and use the new
      Filter Builder
      to define the match criteria.
    3. Add
      the HTTP server profile for forwarding logs to the HTTP destination.

Recommended For You