Prisma™ Cloud Administrator's Guide
    : Configure Flow Logs
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Amazon Web Services
    7. Configure Flow Logs
    Download PDF

    Prisma™ Cloud Administrator's Guide

    Configure Flow Logs

    Table of Contents

    Configure Flow Logs

    Prisma Cloud ingests the VPC flow logs from Amazon S3 buckets stored in a logging account and makes it available for network policy alerting and visualization. After onboarding your AWS account, you need to onboard the logging account which has the S3 bucket storing VPC flow logs for the monitored account. The default retention period of flow logs is 30 days after which they are purged. You can query flow logs data for the last 30 days. CloudWatch is the default selection to ingest flow logs and does not require additional configuration.
    When creating S3 flow logs on the AWS console, make sure to partition your flow logs for
    Every 1 hour (60 minutes)
    . The hourly (60 minutes) partition provides better ingestion performance than the 24 hours partition. Selecting additional fields on the AWS console that are used in the Internet exposure calculation in network policies address the false positives for those network policies.
    1. On your AWS console, create a flow log with the following specifications.
      1. The new flow logs format requires all connection direction related fields. Here’s a sample format:
      2. Select all
         instead of manually selecting each field.
        Or you can choose custom format and select the following required fields:
        • account-id
        • action
        • interface-id
        • srcaddr
        • dstaddr
        • srcport
        • dstport
        • protocol
        • packets
        • bytes
        • start
        • end
        • log-status
        • region
        • version
        • tcp-flags
        • flow-direction
        • traffic-path
        • vpc-id
        • subnet-id
        • instance-id
        • pkt-srcaddr
        • pkt-dstaddr
        • pkt-src-aws-service
        • pkt-dst-aws-service
      3. Set
        Partition logs by time
         to
        Every 1 hour (60 minutes)
        .
      4. Set
        Log file format
         to
        Text
        . Prisma Cloud supports ingestion of only text format files.
    2. You are not required to change anything on Prisma Cloud as long as the S3 bucket does not change.

    Onboarded Accounts that Use S3

    For your previously onboarded AWS accounts that are using S3 with 24 hours partition, you can now select hourly partition. Prisma Cloud checks whether flow logs have all the necessary permissions required for hourly partition (it does not check for the fields).
    1. After you Onboard Your AWS Account, select
      Settings
      Cloud Accounts
      .
    2. Click the
      View
       ( ) icon next to the AWS account for which you want to configure the logging account and buckets to fetch flow logs from S3.
    3. Click
      Threat Detection
      .
    4. Select
      S3
       under
      Flow Logs
      .
    5. Click
      Configure S3
      .
    6. Configure Logging Account
      .
      1. Click
        Add Logging Account
         or select from the logging accounts displayed (if you have previously set up logging accounts).
      2. Click
        Next
        .
      3. Enter an
        Account ID
        ,
        Account Name
        , and
        Role Name
         and click
        Next
        . By default, the role name is
        prisma-cloud-logging-role
        , which you can customize.
        All the configured Logging Accounts are displayed. You can select one of these Logging Accounts which contains the S3 bucket to which the VPC flow logs are being sent for the respective monitored account. Or you can
        Add
         a new Logging Account as described in the step above.
    7. Configure Buckets
      .
      1. Enter a
        Bucket Name
         and the
        Bucket Region
         that you have configured as destination for flow logs on the AWS Logging Account VPC Console. The
        Bucket Path Prefix
         (comma separated list) and
        Key ARN
         are optional. If you have any specific path (Bucket Path) prefix for flow logs and configured bucket encryption (Key ARN), you can enter those values.
        If you’ve enabled hourly partitions, the files are published to the following location: bucket-and-optional-prefix/AWSLogs/account_id/vpcflowlogs/region/year/month/day/hour/
        In AWS, the bucket-and-optional-prefix is added to the S3 bucket ARN as a folder in the flow log settings page. Make sure you add the same bucket-and-optional-prefix in the prefix section in Prisma Cloud.
      2. Add
         or
        Remove
         multiple buckets used for logging.
    8. Click
      Next
      .
    9. Follow the steps displayed on
      Logging Account Template
      .
      1. Enter the
        Role ARN
        .
      2. Click
        Validate
        .
        You can proceed further only if the validation is successful and you see a green
        Validated
         checkmark.
        The CFT template is deployed on the Logging Account through your AWS Management Console.
    10. Click
      Save
      .
    11. Configure S3 Flowlogs
      .
      1. Select all the applicable
        Logging Buckets
         that Prisma Cloud can access and from which it can ingest flow logs.
      2. After selecting the Logging Buckets, click
        Validate
         to make sure Prisma Cloud has all basic required permissions and access.
        If all the required permissions are present, a green
        Validated
         checkmark displays. If not, an error message displays.
        If you want to configure a different logging account and buckets, click the
        Edit
         icon.
    12. Click
      Save
      .
      You can save your settings, regardless of the validation status.
      For accounts that are using CloudWatch and now you want to upgrade to S3, the
      Enable Hourly Partition
       checkbox is enabled (grayed out) by default to ensure it is using hourly partition.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.