https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353197#M87300 <P>Hello,</P><P>&nbsp;</P><P>For one of our client , using PA 850 in cluster,</P><P>&nbsp;</P><P>They have 8 zones for voip , printer , camera etc</P><P>&nbsp;</P><P>And all the security policies are wide open.</P><P>&nbsp;</P><P>Now we want to restrict the policy by looking at logs from each zone towars other.</P><P>&nbsp;</P><P>Can we export logs from panorama to expedition to see or analyse it ?&nbsp;</P><P>&nbsp;</P><P>Or what is best approach to do reverse engineering and implement the specific rules between zones.</P> Thu, 01 Oct 2020 07:30:19 GMT FWPalolearner 2020-10-01T07:30:19Z https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353197#M87300 <P>Hello,</P><P>&nbsp;</P><P>For one of our client , using PA 850 in cluster,</P><P>&nbsp;</P><P>They have 8 zones for voip , printer , camera etc</P><P>&nbsp;</P><P>And all the security policies are wide open.</P><P>&nbsp;</P><P>Now we want to restrict the policy by looking at logs from each zone towars other.</P><P>&nbsp;</P><P>Can we export logs from panorama to expedition to see or analyse it ?&nbsp;</P><P>&nbsp;</P><P>Or what is best approach to do reverse engineering and implement the specific rules between zones.</P> Thu, 01 Oct 2020 07:30:19 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353197#M87300 FWPalolearner 2020-10-01T07:30:19Z https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353255#M87303 <P>Hi,</P><P>&nbsp;</P><P>you can go with this filter so see respective logs.</P><P>&nbsp;</P><P>Monitor &gt; Logs &gt; Traffic &gt; ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )</P><P>&nbsp;</P><P>You can export the output shown into an CSV file.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo_logs.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28042iAC7249B3D133004E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="palo_logs.png" alt="palo_logs.png" /></span></P><P>&nbsp;</P><P>Based on this output normally a good approach, in my opinion, is:</P><P>&nbsp;</P><P>- setup an application group with apps you want to allow (good apps)</P><P>- setup an application group with apps you <STRONG>do not</STRONG> want to allow (bad apps),</P><P>- set up a policy with "application" = application group good apps, set it do allow, enable logging at session end</P><P>- set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end</P><P>- set up a policy with "application" = any, set it to allow, enable logging at session end</P><P>&nbsp;</P><P>Continually monitor this rules and fine tune your policy. In Policies &gt; Name column &gt; hover over policy name &gt; triangle icon &gt; log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.</P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 01 Oct 2020 10:51:30 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353255#M87303 Rene_Boehme 2020-10-01T10:51:30Z https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353285#M87306 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138831">@Rene_Boehme</a>&nbsp; thanks .this is indeed a better approach.</P><P>&nbsp;</P><P>I will see if expedition automates it&nbsp;</P> Thu, 01 Oct 2020 12:29:04 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353285#M87306 FWPalolearner 2020-10-01T12:29:04Z https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353406#M87317 <P>Good luck. Let us know if anything is missing.</P> Thu, 01 Oct 2020 17:24:17 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-check-by-logs-with-expedition/m-p/353406#M87317 Rene_Boehme 2020-10-01T17:24:17Z