: Configure Tracking of Administrator Activity
Focus
Focus

Configure Tracking of Administrator Activity

Table of Contents

Configure Tracking of Administrator Activity

Track activity of Panorama™ management server administrators on the web interface or CLI for auditing purposes.
Track administrator activity on the web interface and CLI of your Panorama™ management server, managed firewalls, and Log Collectors to achieve real time reporting of activity across your deployment. If you have reason to believe an administrator account is compromised, you have a full history of where this administrator account navigated throughout the web interface or what operational commands they executed so you can analyze in detail and respond to all actions the compromised administrator took.
When an event occurs, an audit log is generated and forwarded to the specified syslog server each time an administrator navigates through the web interface or when an operational command is executed in the CLI. An audit log is generated for each navigation or commend executed. Take for example if you want to create a new address object. An audit log is generated when you click on
Objects
, and a second audit log is generated when you then click on Addresses.
Audit logs are only visible as syslogs forwarded to your syslog server and cannot be viewed in the Panorama or managed firewall web interface. Audit logs can only be forwarded to a syslog server, cannot be forwarded to
Cortex Data Lake
, and are not stored locally on the firewall, Panorama, or Log Collector.
  1. Configure a syslog server profile to forward audit logs of administrator activity for Panorama, managed firewalls, and Log Collectors.
    This step is required to successfully store audit logs for tracking administrator activity.
    1. Select
      Panorama
      Server Profiles
      Syslog
      and
      Add
      a new syslog server profile.
  2. Configure administrator activity tracking for your managed firewalls.
    This step is required to successfully store audit logs for tracking administrator activity on managed firewalls.
    1. Select
      Device
      Setup
      Management
      and edit the Logging and Reporting Settings.
    2. Select
      Commit
      and
      Commit and Push
      .
  3. Configure administrator activity tracking for Panorama.
    1. Select
      Panorama
      Setup
      Management
      and edit the Logging and Reporting Settings.
    2. Select
      Log Export and Reporting
      .
    3. In the Log Admin Activity section, configure what administrator activity to track.
      • Operational Commands
        —Generate an audit log when an administrator executes an operational or debug command in the CLI or an operational command triggered from the web interface. See the CLI Operational Command Hierarchy for a full list of PAN-OS operational and debug commands.
      • UI Actions
        —Generate an audit log when an administrator navigates throughout the web interface. This includes navigation between configuration tabs, as well as individual objects within a tab.
        For example, an audit log is generated when an administrator navigates from the
        ACC
        to the
        Policies
        tab. Additionally, an audit log is generated when an administrator navigates from
        Objects
        Addresses
        to
        Objects
        Tags
        .
      • Syslog Server
        —Select a target syslog server profile to forward audit logs.
    4. Click
      OK
    5. Select
      Commit
      and
      Commit to Panorama
      .
  4. Configure administrator activity tracking for Log Collectors in a Collector Group.
    1. Select
      Panorama
      Collector Groups
      and click a Collector Group.
    2. Select
      Audit
      .
    3. In the Log Admin Activity section, configure audit tracking for CLI activity.
      You can only track CLI activity for Log Collectors because Log Collectors you can only access Log Collectors through the CLI.
      • Operational Commands
        —Generate an audit log when an administrator executes an operational or debug command in the CLI. See the CLI Operational Command Hierarchy for a full list of PAN-OS operational and debug commands.
      • Syslog Server
        —Select a target syslog server profile to forward audit logs.
    4. Click
      OK
      .
    5. Select
      Commit
      and
      Commit to Panorama
      .

Recommended For You