Make more sense using filtered log forwarding

by ‎03-07-2017 06:17 AM - edited ‎05-11-2017 09:02 AM (2,559 Views)

 

Log forwarding has been around on our firewalls since forever.  However, the feature had its limitations.

 

Problem before PAN-OS 8.0:

 

  • Customers want to forward particular logs to start a troubleshooting or incident response across variety of teams
  • However, prior to PAN-OS 8.0 users are required to choose a collection of logs by severity and/or type rather than the set of logs they are interested in
  • Existing log forwarding behavior results in a flood of unwanted logs that you still have to filter through manually

 

I HATE LOGSI HATE LOGS

 

 

Solution in PAN-OS 8.0:

 

  • This feature will expand the log filtering from the granularity of severity to the granularity of a user-defined filter for log forwarding purposes.
  • Users can now forward selective logs based on a custom-defined filter for a given log type.
  • Log forwarding profiles now have filters that are similar to the monitor tab.
  • These updated log forwarding profiles will be attached to rules/zones in the same way as we use current log forwarding profiles.

 

Log forwarding profiles are re-designed to accommodate log filtering. Users can now create match lists in the log forwarding profile.

 

All the forwarding actions mentioned in the match list will be taken against that particular traffic log.  A traffic log can match more than one match list, forwarding actions mentioned in all the matching lists will be taken.  New match criteria can be added to the forwarding profile with “Add” option.  Here in this example, two match lists are configured:

 

Log Forwarding ProfileLog Forwarding Profile

 

Log Forwarding Profile Match List allows for the creation of custom filters as shown here:

 

Filter BuilderFilter Builder

By default, the firewall forwards ALL logs of the selected Log Type.  To forward a subset of the logs, select an existing filter from the drop-down or select 'Filter Builder' to add a new filter to select interesting logs to be forwarded.  These filters are similar to the existing filters that we already have in the monitor tab:

 

Create FilterCreate Filter

 

Use the ‘View Filtered Logs’ tab to verify which logs exactly will be forwarded.

 

It can be challenging to create your own filter but you can work backwards and have the firewall create a filter for you.   Without a configured filter you can goto the 'View Filtered Logs' view and you will have an unfiltered view.  From here you can make any selection from the displayed logs and the firewall will create a filter for you in response to that.  Notice how the firewall creates a filter for me when I make any selection in the 'View Filtered Logs' tab.  

 

Filter CreationFilter Creation

Click the 'Apply Filter' button to see exactly what will be forwarded :

 

Apply FilterApply Filter

 

Click OK and all that remains to be done is select your Forward method.  Once you do that you can click the OK button and you can confirm if the Log Forwarding Profile looks fine and you can click the OK button once more.

 

Log Forwarding ProfileLog Forwarding Profile

With this your log forwarding profile is created.

 

Similarly you have the log settings feature on the device tab.  Here you can configure system logs, config logs, UserID, Correlation and HIP match logs (User-ID and Correlation are new in PAN-OS 8.0).  The same granularity was added in all of these logs:

 

Device - Log SettingsDevice - Log Settings

 

As an example check out the 'Log Settings - Configuration' below, where I configured a forwarding option for the filter ( admin neq admin )

 

Log Settings - ConfigurationLog Settings - Configuration

 

Notice in the example above that I've set my forwarding option to Panorama.  If you are happy with this you can go ahead and click OK and commit the change.

 

With this new feature, a flood of unwanted logs will soon be a thing of the past!

 

As always, feel free to add comments to the comments section below or reach out to us in the Live Community Discussions Forum.

 

Cheers!

-Kim.

Ask Questions Get Answers Join the Live Community
Top Liked Posts
Labels