topic Re: Log Forwarding Rule/Object in General Topics

Log Forwarding Rule/Object

DIR_IT — Thu, 24 Sep 2020 17:20:22 GMT

I have a server that connects every 10 minutes to an SFTP server. I would ideally like to know when it is done for the day. So I setup an email server profile and started on a Log Forwarding object. It does not really have to be a log, just and email that says "Oi the server is done for the day". The server connecting is a third party so I can't do it from that side.

Is it possible to create an object that will be "actioned" once there is no connection from the filtered server after a set amount of time? So say after 10 minutes if no additional connections are being received. I say additional connections as I am not interested in an email every 10 minutes stating there are no connections. I am also not really interested in when they start either as they start during my sleepy time.

Thank you so much for helping a Palo Alto noob.

Re: Log Forwarding Rule/Object

BPry — Fri, 25 Sep 2020 03:22:00 GMT

@DIR_IT,

This isn't really going to work. If the sessions happen long enough to stay active you could setup a log-forwarding profile to alert you on session-end, but the fact that these are ten minutes apart means that likely isn't going to be the case. You could of course set something up with the API and checking the session table.

Re: Log Forwarding Rule/Object

OtakarKlier — Fri, 25 Sep 2020 20:11:01 GMT

Hello,

Perhaps can be done from a SIEM? However how about adding a schedule to the policy, i.e. its only accessible from point A to point B between the hours of X to Z?

Just a thought