: Device > Setup > Telemetry
Focus
Focus

Device > Setup > Telemetry

Table of Contents
End-of-Life (EoL)

Device > Setup > Telemetry

Telemetry is the process of collecting and transmitting data for analysis. When you enable telemetry on the firewall, the firewall collects and forwards data that includes information on applications, threats, device health, and passive DNS to Palo Alto Networks. All Palo Alto Networks users benefit from the data that each telemetry participant shares, making telemetry a community-driven approach to threat prevention. Learn more about telemetry and its benefits
.
Telemetry is an opt-in feature and, for most telemetry data, you can preview the information that the firewall collects. Palo Alto Networks does not share your telemetry data with other customers or third-party organizations.
Select DeviceSetupTelemetry to choose telemetry data to share with Palo Alto Networks. The Threat Prevention Data and Threat Prevention Packet Captures reports provide Palo Alto Networks more visibility into your network traffic than other telemetry reports.
Telemetry Settings
Description
Report Sample
Click a report sample (
) to view an XML-formatted report in a separate tab. The data in the report sample is based on firewall activity in the four hours since you first viewed the report sample. The firewall provides a report sample for Application, Threat Prevention, URL, and File Type Identification reports only.
A report can consist of multiple reports:
  • Type—Describes the name of the report.
  • Aggregate—Lists the log fields that the firewall collects for the report (refer to Syslog Field Descriptions
    to determine the name of the fields as they appear in the firewall logs).
  • Values—Indicates the units of measure used in the report (for example, the value count for the Attacking Countries report refers to the number of times the firewall detected a threat event associated with a particular country).
A report sample does not display any entries if the firewall did not find any matching traffic for the report. You can only generate a new report sample when you restart the firewall.
Application Reports
(Disabled by default)
Share the number and size of known applications grouped by destination port, unknown applications grouped by destination port, and unknown applications grouped by destination IP address. The firewall generates these reports from Traffic logs.
When enabled, the firewall forwards Application Reports every 4 hours.
Threat Prevention Reports
(Disabled by default)
Share the number of threats for each source country and destination port, attacker information, and the correlation objects that threat events triggered when the firewall was collecting data for these reports.
When enabled, the firewall forwards Threat Prevention Reports every 4 hours.
URL Reports
(Disabled by default)
Share reports generated from URL filtering logs with the following PAN-DB URL categories: malware, phishing, dynamic DNS, proxy-avoidance, questionable, parked, and unknown (URLs that PAN-DB has not yet categorized). The firewall also sends PAN-DB statistics at the time that the data for the URL Reports was collected. These statistics include the version of the URL filtering database on the firewall and on the PAN-DB cloud, the number of URLs in those databases, and the number of URLs that the firewall categorized. These statistics are based on the time that the firewall forwarded the URL Reports.
When enabled, the firewall forwards URL Reports every 4 hours.
File Type Identification Reports
(Disabled by default)
Share reports about files that the firewall allowed or blocked based on data filtering
and file blocking
settings.
When enabled, the firewall forwards File Type Identification Reports every 4 hours.
Threat Prevention Data
(Disabled by default)
Share logs from threat events that triggered signatures that Palo Alto Networks is evaluating. The collected information may include source or victim IP addresses. Enabling this option also allows unreleased signatures—that Palo Alto Networks is currently testing—to run in the background. These signatures do not affect your security policy rules and firewall logs and have no impact to your firewall performance.
When enabled, the firewall forwards Threat Prevention Data every 5 minutes. Click Download Threat Prevention Data (
) to download a tarball file (.tar.gz) with the most recent 100 folders of Threat Prevention Data and Threat Prevention Packet Captures that the firewall forwarded to Palo Alto Networks. If you never enabled these settings or if you enabled them but no threat events have matched the conditions for these telemetry settings, the firewall does not generate a file and instead returns an error message.
Threat Prevention Packet Captures
(Disabled by default)
Share packet captures (if you enabled your firewall to take threat packet captures
) from threat events that trigger signatures that Palo Alto Networks is evaluating. The collected information may include source or victim IP addresses.
When enabled, the firewall forwards Threat Prevention Packet Captures every 5 minutes.
To enable Threat Prevention Packet Captures, you must also enable Threat Prevention Data.
Product Usage Statistics
(Disabled by default)
Share back traces of firewall processes that have failed, as well as information about the firewall status. Back traces outline the execution history of the failed processes. Product Usage Statistics also include details about the firewall model and the PAN-OS and content release versions installed on your firewall.
To view the information that the firewall sends as Product Usage Statistics, enter the following operational CLI command:
show system info
When enabled, the firewall forwards Product Usage Statistics every 5 minutes.
Passive DNS Monitoring
(Disabled by default)
Allow the firewall to act as a passive DNS sensor and send DNS information to Palo Alto Networks for analysis. The data you share through passive DNS monitoring consists solely of domain-to-IP address mappings. The Palo Alto Networks threat research team uses this information to improve PAN-DB URL category and DNS-based C2 signature accuracy and WildFire malware detection. Passive DNS monitoring is a global setting that applies to all firewall traffic.
When enabled, the firewall forwards Passive DNS Monitoring data in 1MB batches.
Select All
Enable all telemetry settings.
Deselect All
Disable all telemetry settings.