topic Re: Report-based Logging Without Interfering With Policies in General Topics

Report-based Logging Without Interfering With Policies

joshuahiggins — Wed, 27 Jan 2016 19:16:33 GMT

Hi PANland, I'm back with another implementation question th

So PAN devices log when you tell them to, but for their reports feature it seems that with or without logs they will keep unmutable counters of very basic information that has to be parsed anyway to make it through the firewall (ie. application, source, etc.). Here’s my situation: I’m noticing a (possibly) high number of pings in the daily top applications report. However, when I click to see app scope information about pings for that day, the scope comes up blank in all categories.

My assumption is, that’s because no pings have been logged in that day (checking the traffic/threat logs), therefore there’s nothing for the system to grab besides counters that are inherently unrelated to one another. Is there any method available such that I can perhaps place a “lens” or policy of some sort to tell the device to log all instances of some basic rule. In this case it would be “application: ping”. I’m attempting to figure out a way to do it from policies alone without changing how our firewall already handles pings and without logging anything extra in the process. Now I'm not a dev nor do I have any clue how this puppy works outside of what the docs and CLI logs tell me, but I feel there's gotta be a simpler way.

Feel free to correct me in my PANjutsu path if I’m forgetting a feature that handles this specifically.

Re: Report-based Logging Without Interfering With Policies

reaper — Thu, 28 Jan 2016 09:27:30 GMT

in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged

here's a little article about this phenomenon: ACC Shows Different Results After Clearing Filters

if you want to have more custom tailored reports, please take a look at Getting Started: Custom reports on how to create your own custom reports that only give you the data you want to look at 🙂

Re: Report-based Logging Without Interfering With Policies

joshuahiggins — Thu, 28 Jan 2016 21:09:08 GMT

Right, that's in accordance with what I suspected.

My question and goal lies in this sentence exactly:

@reaper wrote:

in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged

This is the issue I'm trying to address, it's not that I want to clear out the counters, it's that I want to start logging because of the counters. I understand that you can just flip logging on to a bunch of policies, but ping is not exactly something handled exclusively by policies. Often the policy handles other apps as well. I don't want to log the other apps because that'll lead to quite an increase in average logging.

That's why I want to know if there's any plans for alternate methods for logging. Such as logging policies that don't affect blocking/allowing/alerting/dropping.

I'm also still all ears for anyone who can come up with something simpler than trying to come up with a "wrapping policy" that, for over 300 policies, will not be just a side project. Just to log all instances of ping for a period of time.

Because once the instances are logged, THEN I can see the reports that I need.

Re: Report-based Logging Without Interfering With Policies

reaper — Fri, 29 Jan 2016 08:59:25 GMT

that's tricky 🙂

besides actually having a security log that applies an action to a set of applications, you can't set a differentiator for logging (in a single security policy log ping nolog other stuff)

the only way around could be to set up a netflow server and create these logs externally, or create separate security policies for the applications you do want to log and the ones you don't want to log.

You can reach out to your Sales contact so they can create a feature request or have your vote added if this has already been requested.

Re: Report-based Logging Without Interfering With Policies

jvalentine — Fri, 29 Jan 2016 14:38:44 GMT

Take one of the ports on your firewall and turn it into a TAP port, and place it in a zone called TAP.

Now, have your L2/L3 switch mirror one (or more) firewall interfaces and feed that back into the TAP port on the firewall.

When you want to log all instances of "ping", you can create a policy on your firewall that says "permit from TAP to TAP app=ping with logging enabled".

This comes at the cost of additional firewall CPU utilization, as the firewall will be forced to process the traffic twice.

Re: Report-based Logging Without Interfering With Policies

joshuahiggins — Fri, 29 Jan 2016 14:42:31 GMT

Hey guys,

Thanks for the advice and ideas! I'll put in a request to support to consider this in the future. I'll look into the TAP solution as a means for now (though you're right it will up computational costs) as that didn't even cross my mind.

Anyone reading this thread can feel free to continue the conversation as I'll be linking this in my support request.