Objects > Log Forwarding
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > Log Forwarding
By default, the logs that the firewall generates reside
only in its local storage. However, you can use Panorama™, the Logging
Service, or external services (such as a syslog server) to centrally
monitor log information by defining a Log Forwarding profile and
assigning that profile to Security, Authentication, DoS Protection,
and Tunnel Inspection policy rules. Log Forwarding profiles define
forwarding destinations for the following Log
Types: Authentication, Data Filtering, GTP, SCTP, Threat, Traffic,
Tunnel, URL Filtering, and WildFire® Submissions logs.
You should forward logs to Panorama or
to external storage for many reasons, including: compliance, redundancy,
running analytics, centralized monitoring, and reviewing threat
behaviors and long-term patterns. In addition, the firewall has
limited log storage capacity and deletes the oldest logs as when
the storage space fills up. Be sure to forward Threat logs and WildFire
logs.
To forward other log types, see Device
> Log Settings.
To enable a PA-7000 Series firewall to forward logs or
forward files to WildFire®, you must first configure a Log
Card Interface on the PA-7000 Series firewall. As soon as
you configure this interface, the firewall will automatically use
this port—there is no special configuration required. Just configure
a data port on one of the PA-7000 Series Network Processing Cards
(NPCs) as a Log Card interface type and ensure that the network
that you use can communicate with your log servers. For WildFire
forwarding, the network must communicate successfully with the WildFire
cloud or WildFire appliance (or both).
The following table describes the Log Forwarding profile settings.
Log Forwarding Profile
Settings | Description |
---|---|
Name | Enter a name (up to 64 characters) to identify
the profile. This name appears in the list of Log Forwarding profiles
when defining Security policy rules. The name is case-sensitive,
must be unique, and can contain only letters, numbers, spaces, hyphens,
and underscores. |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Enable enhanced application logs in cloud logging (including traffic and url logs) (Panorama only) | Enhanced Application Logs for
Palo Alto Networks Cloud Services is available with a Strata Logging Service subscription. Enhanced application
logging allows the firewall to collect data specifically intended to
increase visibility into network activity for apps running in the
Palo Alto Networks Cloud Services environment. |
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this Log Forwarding profile in device
groups that inherit the profile. This selection is disabled (cleared)
by default, which means administrators can override the settings
for any device group that inherits the profile. |
Description | Enter a description to explain the purpose
of this Log Forwarding profile. |
Match List (unlabeled) | Add one or more match
list profiles (up to 64) that specify forwarding destinations, log
attribute-based filters to control which logs the firewall forwards,
and actions to perform on the logs (such as automatic tagging).
Complete the following two fields (Name and Description) for each
match list profile. |
Name (match list profile) | Enter a name (up to 31 characters) to identify
the match list profile. |
Description (match list profile) | Enter a description (up to 1,023 characters)
to explain the purpose of this match list profile. |
Log Type | Select the type of logs to which this match
list profile applies: authentication (auth), data, gtp, sctp, threat, traffic, tunnel, URL, or WildFire. |
Filter | By default, the firewall forwards All
Logs of the selected Log Type.
To forward a subset of the logs, select an existing filter from
the drop-down or select Filter Builder to
add a new filter. For each query in a new filter, specify the following
fields and Add the query:
To display or export the logs that the filter
matches, View Filtered Logs, which provides
the same options as the Monitoring tab pages (such
as MonitoringLogsTraffic). |
Panorama Panorama/Logging Service (Panorama
only) | Select Panorama if you want to forward
logs to Log Collectors or the Panorama management server or to forward
logs to the Logging Service. If you enable this option, you
must configure log forwarding to Panorama. To
use the Logging Service, you must also Enable the
Logging Service in Device
> Setup > Management. |
SNMP | Add one or more SNMP
Trap server profiles to forward logs as SNMP traps (see Device
> Server Profiles > SNMP Trap). |
Email | Add one or more Email
server profiles to forward logs as email notifications (see Device
> Server Profiles > Email). |
Syslog | Add one or more Syslog
server profiles to forward logs as syslog messages (see Device
> Server Profiles > Syslog). |
HTTP | Add one or more HTTP
server profiles to forward logs as HTTP requests (see Device
> Server Profiles > HTTP). |
Built-in Actions | You can select from two types of built-in
actions when you Add an action to perform—Tagging
and Integration.
To
add a device to the quarantine list based on the log forwarding profile
filter, select Quarantine. |