Configure Email Alerts
Focus
Focus

Configure Email Alerts

Table of Contents

Configure Email Alerts

Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
You can configure email alerts for log types, such as System, Config, HIP Match, Correlation, Threat, WildFire Submission, and Traffic logs. For each log type, you can set up separate email profiles, allowing you to send notifications to different email servers based on the log type. To ensure high availability, you can define multiple servers (up to four) within a single profile. If one server fails or becomes unreachable, the system attempts to send the alert through the next available server.
It is a best practice to enable transport layer security (TLS). This requires the firewall to authenticate with the email server before the firewall relays email to the server. Using TLS helps prevent malicious activities, such as Simple Mail Transfer Protocol (SMTP) relay attacks. Additionally, TLS helps to prevent email spoofing, which is commonly used in phishing attacks.

Configure Email Alerts (Strata Cloud Manager)

Configure email alerts for various log types and enable TLS to prevent SMTP relay and spoofing.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationNGFW and Prisma AccessObjectsLog ForwardingEmail Server Profile.
  3. Click Add Email Server .
  4. Enter a name, and click Add Email Server Profile.
  5. Enter a Name.
  6. (Optional) Enter an Email Display Name to specify the name to display in the From field of the email.
  7. Enter the email address From which the firewall sends emails.
  8. Enter the email address To which the firewall sends emails.
  9. (Optional) If you want to send emails to a second account, enter the address of the Additional Recipient. You can add only one additional recipient. For multiple recipients, add the email address of a distribution list.
  10. Enter the IP address or hostname of the Email Gateway to use for sending emails.
  11. Select the Type of protocol to use to connect to the email server:
    • Unauthenticated SMTP—Use SMTP to connect to the email server without authentication. The default Port is 25, but you can optionally specify a different port. This protocol does not provide the same security as SMTP over TLS, but if you select this protocol, skip the next step.
    • SMTP over TLS—(Recommended) Use TLS to require authentication to connect to the email server. Continue to the next step to configure the TLS authentication.
  12. (SMTP over TLS only) Configure the firewall to use TLS authentication to connect to the email server.
    1. (Optional) Specify the Port to use to connect to the email server (default is 587).
    2. TLS Version—Specify the TLS version (1.1 or 1.2).
      Palo Alto Networks strongly recommends using the latest TLS version.
    3. Select the Authentication Method for the firewall and the email server:
      • Auto—Allow the firewall and the email server to determine the authentication method.
      • Login—Use Base64 encoding for the username and password and transmit them separately.
      • Plain—Use Base64 encoding for the username and password and transmit them together.
    4. Select a Certificate Profile to authenticate with the email server.
    5. Enter the Username and Password of the account that sends the emails, then Confirm Password.
  13. Click Add to save the Email server profile.
  14. (Optional) Select the Custom Log Format tab and customize the format of the email messages. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
  15. Configure email alerts for Traffic, Threat, and WildFire Submission logs.
    1. Select ObjectsLog Forwarding.
    2. Click Add Log Forwarding Profile, and enter a Name to identify the profile.
    3. For each log type and each severity level or WildFire verdict, select the Email server profile, and click Save.
  16. Push Config to push your configuration changes.

Configure Email Alerts (PAN-OS)

  1. (Required for SMTP over TLS) If you have not already done so, create a certificate profile for the email server.
  2. Select DeviceServer ProfilesEmail.
  3. Add an email server profile and enter a Name.
  4. From the read-only window that appears, Add the email server and enter a Name.
  5. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  6. (Optional) Enter an Email Display Name to specify the name to display in the From field of the email.
  7. Enter the email address From which the firewall sends emails.
  8. Enter the email address To which the firewall sends emails.
  9. (Optional) If you want to send emails to a second account, enter the address of the Additional Recipient. You can add only one additional recipient. For multiple recipients, add the email address of a distribution list.
  10. Enter the IP address or hostname of the Email Gateway to use for sending emails.
  11. Select the Type of protocol to use to connect to the email server:
    • Unauthenticated SMTP—Use SMTP to connect to the email server without authentication. The default Port is 25, but you can optionally specify a different port. This protocol does not provide the same security as SMTP over TLS, but if you select this protocol, skip the next step.
    • SMTP over TLS—(Recommended) Use TLS to require authentication to connect to the email server. Continue to the next step to configure the TLS authentication.
  12. (SMTP over TLS only) Configure the firewall to use TLS authentication to connect to the email server.
    1. (Optional) Specify the Port to use to connect to the email server (default is 587).
    2. TLS Version—Specify the TLS version (1.1 or 1.2).
      Palo Alto Networks strongly recommends using the latest TLS version.
    3. Select the Authentication Method for the firewall and the email server:
      • Auto—Allow the firewall and the email server to determine the authentication method.
      • Login—Use Base64 encoding for the username and password and transmit them separately.
      • Plain—Use Base64 encoding for the username and password and transmit them together.
    4. Select a Certificate Profile to authenticate with the email server.
    5. Enter the Username and Password of the account that sends the emails, then Confirm Password.
    6. (Optional) To confirm that the firewall can successfully authenticate with the email server, you can Test Connection.
  13. Click OK to save the Email server profile.
  14. (Optional) Select the Custom Log Format tab and customize the format of the email messages. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
  15. Configure email alerts for Traffic, Threat, and WildFire Submission logs.
    1. See Create a Log Forwarding profile.
      1. Select ObjectsLog Forwarding, click Add, and enter a Name to identify the profile.
      2. For each log type and each severity level or WildFire verdict, select the Email server profile and click OK.
  16. Configure email alerts for System, Config, HIP Match, and Correlation logs.
    1. Select DeviceLog Settings.
    2. For System and Correlation logs, click each Severity level, select the Email server profile, and click OK.
    3. For Config and HIP Match logs, edit the section, select the Email server profile, and click OK.
    4. Click Commit.