Configure Log Forwarding
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Log Forwarding
In an environment where you use multiple firewalls
to control and analyze network traffic, any single firewall can
display logs and reports only for the traffic it monitors. Because
logging in to multiple firewalls can make monitoring a cumbersome
task, you can more efficiently achieve global visibility into network
activity by forwarding the logs from all firewalls to Panorama or
external services. If you Use External Services for Monitoring,
the firewall automatically converts the logs to the necessary format:
syslog messages, SNMP traps, email notifications, or as an HTTP
payload to send the log details to an HTTP(S) server. In cases where
some teams in your organization can achieve greater efficiency by
monitoring only the logs that are relevant to their operations,
you can create forwarding filters based on any log attributes (such
as threat type or source user). For example, a security operations
analyst who investigates malware attacks might be interested only
in Threat logs with the type attribute set to wildfire-virus.
By
default, logs are forwarded over the management interface unless
you configure a dedicated service route to forward
logs. Forwarded logs have a maximum log record size of 4,096 bytes.
A forwarded log with a log record size larger than the maximum is
truncated at 4,096 bytes while logs that do not exceed the maximum
log record size are not.
Log forwarding
is supported only for supported log fields.
Forwarding logs that contain unsupported log fields or pseudo-fields causes
the firewall to crash.
You can forward logs from
the firewalls directly to external services or from the firewalls
to Panorama and then configure Panorama to forward logs to the servers.
Refer to Log Forwarding Options for the factors
to consider when deciding where to forward logs.
You can use Secure Copy (SCP) commands from the CLI to
export the entire log database to an SCP server and import it to
another firewall. Because the log database is too large for an export
or import to be practical on the PA-7000 Series firewall, it does
not support these options. You can also use the web interface on
all platforms to View and Manage Reports,
but only on a per log type basis, not for the entire log database.
- Configure a server profile for each external service that will receive log information.You can use separate profiles to send different sets of logs, filtered by log attributes, to a different server. To increase availability, define multiple servers in a single profile.Configure one or more of the following server profiles:
- (Required for SMTP over TLS) If you have not already done so, create a certificate profile for the email server.
- 2 To enable the SNMP manager (trap server) to interpret firewall traps, you must load the Palo Alto Networks Supported MIBs into the SNMP manager and, if necessary, compile them. For details, refer to your SNMP management software documentation.
- If the syslog server requires client authentication, you must also 5
- Configure an HTTP server profile (see Forward Logs to an HTTP/S Destination).Log forwarding to an HTTP server is designed for log forwarding at low frequencies and is not recommend for deployments with a high volume of log forwarding. You may experience log loss when forwarding to an HTTP server if your deployment generate a high volume of logs that need to be forwarded.
- Create a Log Forwarding profile.The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
- SelectandObjectsLog ForwardingAdda profile.
- Enter aNameto identify the profile.If you want the firewall to automatically assign the profile to new security rules and zones, enterdefault. If you don’t want a default profile, or you want to override an existing default profile, enter aNamethat will help you identify the profile when assigning it to security rules and zones.If no log forwarding profile nameddefaultexists, the profile selection is set toNoneby default in new security rules (Log Forwardingfield) and new security zones (Log Settingfield), although you can change the selection.
- Addone or more match list profiles.The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
- Enter aNameto identify the profile.
- Select theLog Type.
- In theFilterdrop-down, selectFilter Builder. Specify the following and thenAddeach query:
- Connectorlogic (and/or)
- LogAttribute
- Operatorto define inclusion or exclusion logic
- AttributeValuefor the query to match
- SelectPanoramaif you want to forward logs to Log Collectors or the Panorama management server.
- For each type of external service that you use for monitoring (SNMP, Email, Syslog, and HTTP),Addone or more server profiles.
- (Optional, GlobalProtect Only) If you are using a log forwarding profile with a security policy to automatically quarantine a device using GlobalProtect, selectQuarantinein theBuilt-in Actionsarea.
- ClickOKto save the Log Forwarding profile.
- Assign the Log Forwarding profile to policy rules and network zones.Security, Authentication, and DoS Protection rules support log forwarding. In this example, you assign the profile to a Security rule.Perform the following steps for each rule that you want to trigger log forwarding:
- Selectand edit the rule.PoliciesSecurity
- SelectActionsand select theLog Forwardingprofile you created.
- Set theProfile TypetoProfilesorGroup, and then select the security profiles orGroup Profilerequired to trigger log generation and forwarding for:
- Threat logs—Traffic must match any security profile assigned to the rule.
- WildFire Submission logs—Traffic must match a WildFire Analysis profile assigned to the rule.
- For Traffic logs, selectLog At Session Startand/orLog At Session End.Log At Session Startconsumes more resources than logging only at the session end. In most cases, you onlyLog At Session End. Enable bothLog At Session StartandLog At Session Endonly for troubleshooting, for long-lived tunnel sessions such as GRE tunnels (you can't see these sessions in the ACC unless you log at the start of the session), and to gain visibility into Operational Technology/Industrial Control Systems (OT/ICS) sessions, which are also long-lived sessions.
- ClickOKto save the rule.
- Configure the destinations for System, Configuration, Correlation, GlobalProtect, HIP Match, and User-ID logs.Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
- Select.DeviceLog Settings
- For each log type that the firewall will forward, see Step Add one or more match list profiles.
- (PA-7000 Series firewalls with Log Cards only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs and other Management plane logs using the Management interface or service routes. The only way to forward system logs from a PA-7000 Series firewall with a LFC running PAN-OS 10.1 or later is by configuring a log card interface
- Selectand clickNetworkInterfacesEthernetAdd Interface.
- Select theSlotandInterface Name.
- Set theInterface TypetoLog Card.
- Enter theIP Address,Default Gateway, and (for IPv4 only)Netmask.
- SelectAdvancedand specify theLink Speed,Link Duplex, andLink State.These fields default toauto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommendedLink Speedfor any connection is1000(Mbps).
- ClickOKto save your changes.
- (PA-5450 firewall only) Configure a log interface to perform log forwarding.This step is not required if you are forwarding logs to a Panorama or Cortex Data Lake using the management interface. The management interface handles log forwarding by default and does not require the log interface to be configured.
- (PAN-OS 10.2.0 and 10.2.1) The management interface handles log forwarding by default unless you configure a specific service route for log forwarding.
- (PAN-OS 10.2.2 and later releases) The management interface handles log forwarding by default unless you configure the log interface or a specific service route for log forwarding. If a log interface is configured and committed, all internal logging, CDL, SNMP, HTTP, and Syslog will be forwarded by the log interface.
Ensure that the log interface you are configuring is not in the same subnetwork as the management interface. Configuring both interfaces in the same subnetwork can cause connectivity issues and result in the wrong interface being used for log forwarding.LOG-1 and LOG-2 are bundled as a single logical interface calledbond1. Bond1 uses LACP (link aggregation control protocol) as IEEE 802.3ad. Set theModefor LACP status queries toActiveand theTransmission Ratefor LACP query and response exchanges toSlow.- Select.DeviceSetupManagement
- Select the settings gear on the top menu bar ofLog Interface.
- Fill in theIP Address,Netmask, andDefault Gatewayfields.If your network uses IPv6, fill in theIPv6 AddressandIPv6 Default Gatewayfields instead.When the log interface is configured with an IP address, communication between the firewall and Panorama automatically switches from being handled by the management interface (default) to the log interface.
- Specify theLink Speed,Link Duplex, andLink State. These fields default toauto, which specifies that the firewall automatically determines the values based on the connection.
- ClickOKto save your changes.
- Commit and verify your changes.
- Commityour changes.
- Verify the log destinations you configured are receiving firewall logs:
- Panorama—If the firewall forwards logs to a Panorama virtual appliance in Panorama mode or to an M-Series appliance, you must configure a Collector Group before Panorama will receive the logs. You can then verify log forwarding.
- Email server—Verify that the specified recipients are receiving logs as email notifications.
- Syslog server—Refer to your syslog server documentation to verify it’s receiving logs as syslog messages.
- SNMP manager—Use an SNMP Manager to Explore MIBs and Objects to verify it’s receiving logs as SNMP traps.
- HTTP server—Forward Logs to an HTTP/S Destination.