End-of-Life (EoL)
In addition to its central deployment and firewall configuration features, Panorama also allows you to monitor and report on all traffic that traverses your network. While the reporting capabilities on Panorama and the firewall are very similar, the advantage that Panorama provides is that it is a single pane view of aggregated information across all your managed firewalls. This aggregated view provides actionable information on trends in user activity, traffic patterns, and potential threats across your entire network.
Using the Application Command Center (ACC), the App-Scope, the log viewer, and the standard, customizable reporting options on Panorama, you can quickly learn more about the traffic traversing the network. The ability to view this information allows you to evaluate where your current policies are adequate and where they are insufficient. You can then use this data to augment your network security strategy. For example, you can enhance the security rules to increase compliance and accountability for all users across the network, or manage network capacity and minimize risks to assets while meeting the rich application needs for the users in your network.
The following topics provide a high-level view of the reporting capabilities on Panorama, including a couple of use cases to illustrate how you can use these capabilities within your own network infrastructure. For a complete list of the available reports and charts and the description of each, refer to the online help.
Monitor the Network with the ACC and AppScope
Both the ACC and the AppScope allow you to monitor and report on the data recorded from traffic that traverses your network.
The ACC on Panorama displays a summary of network traffic. Panorama can dynamically query data from all the managed firewalls on the network and display it in the ACC. This display allows you to monitor the traffic by applications, users, and content activity—URL categories, threats, security policies that effectively block data or files—across the entire network of Palo Alto Networks next-generation firewalls.
The AppScope helps identify unexpected or unusual behavior on the network at a glance. It includes an array of charts and reports—Summary Report, Change Monitor, Threat Monitor, Threat Map, Network Monitor, Traffic Map—that allow you to analyze traffic flows by threat or application, or by the source or destination for the flows. You can also sort by session or byte count.
Use the ACC and the AppScope to answer questions such as:
ACC Monitor > AppScope
What are the top applications used on the network and how many are high-risk applications? Who are the top users of high-risk applications on the network? What are the top URL categories being viewed in the last hour? What are the application usage trends—what are the top five applications that have gained use and the top five that have decreased in use? How has user activity changed over the current week as compared to last week or last month?
What are the top bandwidth-using applications? Who are the users/hosts that consume the highest bandwidth? What content or files are being blocked and are there specific users who trigger this File Blocking/Data Filtering rule? What is the amount of traffic exchanged between two specific IP addresses or generated by a specific user? Where is the destination server or client located geographically? Which users and applications take up most of the network bandwidth? And how has this consumption changed over the last 30 days? What are the threats on the network, and how are these incoming and outgoing traffic threats distributed geographically?
You can then use the information to maintain or enforce changes to the traffic patterns on your network. See Use Case: Monitor Applications Using Panorama for a glimpse into how the visibility tools on Panorama can influence how you shape the acceptable use policies for your network.
Here are a few tips to help you navigate the ACC:
Switch from a Panorama view to a Device view —Use the Context drop-down to access the web interface of any managed firewall. For details, see Context Switch—Firewall or Panorama. Change Device Group and Data Source —The default Data Source used to display the statistics on the charts in the ACC is Panorama local data, and the default Device Group setting is All. Using the local data on Panorama provides a quick load time for the charts. You can, however, change the data source to Remote Device Data if all the managed firewalls are on PAN-OS 7.0 or a later release. If the managed firewalls have a mix of PAN-OS 7.0 and earlier releases, you can only view Panorama data. When configured to use Remote Device Data, Panorama will poll all the managed firewalls and present an aggregated view of the data. The onscreen display indicates the total number of firewalls being polled and the number of firewalls that have responded to the query for information. Select the Tabs and Widgets to View —The ACC includes three tabs and an array of widgets that allow you to find the information that you care about. With the exception of the application usage widget and host information widget, all the other widgets display data only if the corresponding feature has been licensed on the firewall, and you have enabled logging. Tweak Time Frame and Refine Data —The reporting time period in the ACC ranges from the last 15 minutes to the last hour, day, week, month, or any custom-defined time. By default, each widget displays the top 10 items and aggregates all the remaining items as others. You can sort the data in each widget using various attributes—for example, sessions, bytes, threats, content, and URLs. You can also set local filters to filter the display within the table and graph in a widget, and then promote the widget filter as a global filter to pivot the view across all the widgets in the ACC.
Analyze Log Data
The Monitor tab on Panorama provides access to log data; these logs are an archived list of sessions that have been processed by the managed firewalls and forwarded to Panorama.
Log data can be broadly grouped into two types: those that detail information on traffic flows on your network such as applications, threats, host information profiles, URL categories, content/file types and those that record system events, configuration changes and alarms.
Based on the log forwarding configuration on the managed firewalls, the Monitor > Logs tab can include logs for traffic flows, threats, URL filtering, data filtering, host information profile (HIP) matches, and WildFire submissions. You can review the logs to verify a wealth of information on a given session or transaction. Some examples of this information are the user who initiated the session, the action (allow or deny) that the firewall performed on the session, and the source and destination ports, zones, and addresses. The System and Config logs can indicate a configuration change or an alarm that the firewall triggered when a configured threshold was exceeded.
If Panorama will manage firewalls running software versions earlier than PAN-OS 7.0, specify a WildFire server from which Panorama can gather analysis information for WildFire samples that those firewalls submit. Panorama uses the information to complete WildFire Submissions logs that are missing field values introduced in PAN-OS 7.0. Firewalls running earlier releases won’t populate those fields. To specify the server, select Panorama > Setup > WildFire, edit the General Settings, and enter the WildFire Private Cloud name. The default is wildfire-public-cloud, which is the WildFire cloud hosted in the United States.
Generate, Schedule, and Email Reports
Panorama allows you to generate reports manually as needed, or schedule reports to run at specific intervals. You can save and export reports, or you can configure Panorama to email reports to specific recipients. The ability to share reports using email is particularly useful if you want to share reporting information with administrators who do not have access to Panorama.
It is recommended that you install matching software releases on Panorama and the firewalls for which you will generate reports. For example, if the Panorama management server runs Panorama 6.1, install PAN-OS 6.1 on its managed firewalls before generating the reports. This practice avoids issues that might occur if you create reports that include fields supported in the Panorama release but not supported in an earlier PAN-OS release on the firewalls.
You can create the following types of reports:
Report Type Description
Predefined A suite of predefined reports in the Monitor > Reports tab that are available in four categories: Applications, Threats, URL Filtering, and Traffic.
User-activity The user activity report is a predefined report that is used to create an on-demand report to document the application use and URL activity broken down by URL category for a specific user with estimated browse time calculations. This report is available in the Monitor > PDF Reports > User Activity Reports tab.
Custom Create and schedule custom reports that display exactly the information you want by filtering the conditions and columns to include. To view the databases available for generating custom reports, see the Monitor > Manage Custom Reports tab. You can generate reports to query data from Summary Databases on Panorama ( Panorama Data) or on the managed firewalls ( Remote Device Data), or use the Detailed Logs on Panorama or on the managed firewalls. You can also create Report Groups ( Monitor > PDF Reports > Report Groups tab) to compile predefined reports and custom reports as a single PDF.
PDF Summary Aggregate up to 18 predefined reports, graphs, and custom reports into one PDF document.
Generate, Schedule, and Email Reports
Generate reports. The steps to generate a report depend on the type: Create a custom report. Select Monitor > Manage Custom Reports. Click Add and enter a Name for the report. Select a Database for the report. You can use a summary database or detailed logs on Panorama or on the managed firewalls. Select the Scheduled check box. Define your filtering criteria. Select the Time Frame, the Sort By order, Group By preference, and select the columns that must display in the report. Selecting the Sort By order is required to generate an accurate report. If you do not select a Sort By order, the generated custom report is populated with the most recent log matches for the selected database. ( Optional ) Select the Query Builder attributes to further refine the selection criteria. To test the report settings, select Run Now. If necessary, modify the settings to change the information that the report displays. Click OK to save the custom report. Run a PDF Summary Report. Select Monitor > PDF Reports > Manage PDF Summary. Click Add and enter a Name for the report. Use the drop-down for each report group and select one or more of the elements to design the PDF Summary Report. You can include up to 18 elements. Click OK t o save the settings.
Configure a Report Group. It can include predefined reports, PDF Summary reports, and custom reports. Panorama compiles all the included reports into a single PDF. Select Monitor > PDF Reports > Report Groups. Click Add and enter a Name for the report group. ( Optional ) Select the Title Page check box and add a Title for the PDF output. Select from the Predefined Report, PDF Summary Report and the Custom Report lists. Click Add to include the selected reports in the report group. Click OK to save the settings.
Configure an Email server profile. Select Panorama > Server Profiles > Email. Click Add and enter a Name for the profile. For each Simple Mail Transport Protocol (SMTP) server (up to four), click Add and enter the information required to connect to the server and send email: Name —A name to identify the SMTP server (1-31 characters). This field is just a label and doesn’t have to be the hostname of an existing server. Email Display Name —The name to display in the From field of the email. From —The email address where notification emails will be sent from. To —The email address to which notification emails will be sent. Additional Recipient —To send notifications to a second account, enter the additional address here. Email Gateway —The IP address or hostname of the SMTP gateway to use to send the emails. Click OK to save the profile.
Schedule the report for email delivery. Select Monitor > PDF Reports > Email Scheduler. Click Add and enter a Name for the email scheduler profile. Select the Report Group, the Email server profile you just created ( Email Profile), and the Recurrence for the report. To verify that the email settings are accurate, click Send test email. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.

Recommended For You