https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335675#M84599 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/141518">@omprasadax</a>,</P><P>You won't be able to get the destination of the actual server if this is being fed through the ALB; as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42079">@DelvinC</a>&nbsp;initially mentioned, the firewalls visibility into the traffic stops once the packet reaches the ALB. You will need to have some sort of SIEM (Like Cortex, Splunk, Graylog, ect) to aggregate these logs if you don't want to manually corelate them.&nbsp;</P> Sun, 28 Jun 2020 03:30:19 GMT BPry 2020-06-28T03:30:19Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/334744#M84419 <P>Hi Team,</P><P>We have VM firewall deployed at AWS.&nbsp;</P><P>&nbsp;</P><P>&gt;&gt; Paloalto&gt;&gt;ALB&gt;&gt; servers</P><P>&nbsp;</P><P>Now in threat log we are getting logs for destination as ALB&nbsp; because of this architecture.</P><P>Is it possible to get logs for actual destination server in threat log by any means ?</P><P>&nbsp;</P><P>Thanking you in advance!!</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Jun 2020 09:30:28 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/334744#M84419 omprasadax 2020-06-23T09:30:28Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/334915#M84447 <P>I don' think you can&nbsp;<SPAN>get logs for actual destination server in the threat logs on the virtual firewall. The virtual firewall's visibility does not go beyond the ALB based on the setup that you have. In the give scenario, you'll need to correlate the timestamps on the virtual firewall and the ALB logs to identify the original destination server.</SPAN></P><P><SPAN><BR />Another alternative is if you are using <A href="https://www.paloaltonetworks.com/cortex/cortex-xdr" target="_self">Cortex-XDR</A>.</SPAN></P> Wed, 24 Jun 2020 03:12:40 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/334915#M84447 DelvinC 2020-06-24T03:12:40Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335178#M84484 <P>If SSL inbound inspection configured in this case then will it be meaningful?</P> Thu, 25 Jun 2020 04:09:35 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335178#M84484 omprasadax 2020-06-25T04:09:35Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335610#M84581 <P>If we were to look at this problem from a different perspective, what are we trying to achieve by looking at the threat logs? Are you just looking to block the threats or identify the impacted server?</P> Fri, 26 Jun 2020 21:05:30 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335610#M84581 DelvinC 2020-06-26T21:05:30Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335652#M84590 <P>Yes, <STRONG>we want to identify impacted server</STRONG> then if required we would take any other action</P> Sat, 27 Jun 2020 04:56:35 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335652#M84590 omprasadax 2020-06-27T04:56:35Z https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335675#M84599 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/141518">@omprasadax</a>,</P><P>You won't be able to get the destination of the actual server if this is being fed through the ALB; as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42079">@DelvinC</a>&nbsp;initially mentioned, the firewalls visibility into the traffic stops once the packet reaches the ALB. You will need to have some sort of SIEM (Like Cortex, Splunk, Graylog, ect) to aggregate these logs if you don't want to manually corelate them.&nbsp;</P> Sun, 28 Jun 2020 03:30:19 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-log-original-destination-required-in-vm-firewall-deployed/m-p/335675#M84599 BPry 2020-06-28T03:30:19Z