topic Real time alerts for threats? in General Topics

Real time alerts for threats?

drewdown — Thu, 01 Nov 2018 13:18:45 GMT

Is there such a thing with PAN? IE if the logs generate a critical alert can is there some logic to fire an email or generate a report with the relevant information?

Re: Real time alerts for threats?

JW6224 — Thu, 01 Nov 2018 13:35:46 GMT

Yes. It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

Re: Real time alerts for threats?

drewdown — Thu, 01 Nov 2018 13:51:03 GMT

Thanks..but it won't let me put anything under Email eventhough I have email profiles configured under Panorama > Server Profiles > Email.

Re: Real time alerts for threats?

JW6224 — Thu, 01 Nov 2018 13:53:23 GMT

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies. Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

Note: the Log forwarding is in a Device Group. The Email Profile is in the Template. Your targets for both need to match or you will get a commit failure.

Re: Real time alerts for threats?

drewdown — Thu, 01 Nov 2018 13:57:39 GMT

Targets need to match? I don't follow.

Re: Real time alerts for threats?

JW6224 — Thu, 01 Nov 2018 13:59:50 GMT

The firewall target of your Device Group must also be in scope for the Template. If you are using shared templates/device groups, just make sure the firewall that gets the Device Groups have templates that have an email profile with the same name.

Does that help?

Re: Real time alerts for threats?

drewdown — Thu, 01 Nov 2018 14:10:32 GMT

Yeap! Thanks for your help.

One last question, will this be real time or do I need to schedule it to run? I lied as I have more questions, do I need to apply this log forwarding profile to a security rule? I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied? Across the board or per rule?

Re: Real time alerts for threats?

JW6224 — Thu, 01 Nov 2018 14:37:54 GMT

In my experience, real time. Including the caveats that come with that: you may be turning on an email fire-hose if you set it to email on events that you see hundreds of each minute. Caveat emptor. The firewall is happy to melt your mail queue if you tell it to.

Re: Real time alerts for threats?

drewdown — Thu, 01 Nov 2018 15:31:53 GMT

Expected, thanks for your help @JW6224

Re: Real time alerts for threats?

JW6224 — Thu, 01 Nov 2018 16:06:09 GMT

@drewdown wrote:
One last question, will this be real time or do I need to schedule it to run? I lied as I have more questions, do I need to apply this log forwarding profile to a security rule? I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied? Across the board or per rule?

Not per-rule. It is a log forward. When you go to the Monitor tab, you will see several logs (Traffic, URL, Threat, etc.) It is forwarding those log entries as you direct in the forwarding rule, when the firewall records each log entry. Does that make sense?

Re: Real time alerts for threats?

jsalmans — Fri, 02 Nov 2018 14:19:56 GMT

I actually tried to do this with Log Correlation on Panorama. In theory it should work great, in practice (on 8.0.9) the filter builder, and possibly the resulting filters, in that part of the GUI doesn't seem to work correctly and also emails aren't always being sent upon a match.

The filter builder outputs slightly different syntax in some cases than what the rest of the system uses. Even if it is the same filter result, I wasn't getting matches despite being able to use the same filter in the Threat Monitor and getting results.

This and some reporting are some areas I really hope improvements are made in some of the newer versions. We have a team that deals with desktop issues and I'd love to be able to send correlated event information for a possible malware infection straight to their ticket queue via email so they can know to go take a look at it.