Configuration Articles

Featured Article
Overview When configuring BGP with the option to configure Export/Import rules based on the Next Hop entry from the routing table, the next hop entry cannot be just an IP address. The next hop entry must have the /32 prefix; a different prefix will not match the rule.   Steps Export the Rule. This configuration will filter the BGP routes based on the next hop IP address. If routes have 1.1.1.1 as a next hop they will be advertised through BGP. Other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default" . B. Select BGP > click on the "Export" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   Import the rule. This configuration will filter the BGP routes based on the next hop IP address. Routes with 1.1.1.1 as a next hop will be received through BGP and other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default." B. Select "BGP" > click on "Import" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   owner: aciobanu
View full article
aciobanu ‎09-24-2018 02:11 PM
9,671 Views
0 Replies
Overview In Captive Portal scenarios, traffic flows through the Palo Alto Networks device for unidentified users. The traffic logs show an empty Source User for unidentified users:   No filter is available to view only the logs that have an empty Source User column.   Resolution To view only the logs that empty or unidentified Source Users: On the Monitor > Logs > Traffic page, click the Add Filter button (green plus icon). Configure the filter with Attribute = Source User and Operator = is present: The filter gets added as (user.src neq ''). Remove the 'n' from 'neq,' so that the filter appears as (user.src eq ''). Click the Apply Filter button (green arrow) to activate the filter. owner: kadak
View full article
kadak ‎09-14-2018 01:19 PM
8,533 Views
0 Replies
2 Likes
QRADAR LEEF syntax for your Syslog needs in PAN-OS 8.0
View full article
taddair ‎09-11-2018 01:14 AM
6,943 Views
2 Replies
1 Like
Forwarding threat logs to a syslog server requires three steps Create a syslog server profile Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server Use the log forwarding profile in the security rules Commit the changes   Note: Informational threat logs also include URL, Data Filtering and WildFire logs.   Syslog server profile Go to Device > Server Profiles > Syslog Name: Name of the syslog server Server : Server IP address where the logs will be forwarded to Port: Default port 514 Facility: To be elected from the drop down according to the requirements   Log forwarding profile Go to Objects > Log forwarding Create the syslog server profile for forwarding threat logs to the configured server. Add a Log Forwarding Match List to the profile add the syslog server and select a desired (if any) filter Use the filter builder to add more filtering parameters for logs to be forwarded   Once configured, the log forwarding should look like the following   Security Rule Go to Policies > Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions > Log forwarding and select the log forwarding profile from drop down list.   Commit the configuration  
View full article
ppatel ‎06-12-2018 12:47 AM
48,643 Views
9 Replies
PAN-OS 6.0 and later   Details Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.   The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met: DNS response bit is set DNS truncated bit is not set DNS recursive bit is not set DNS response code is 0 or 3 (NX) DNS question count bigger than 0 DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX) DNS query record type are "A,NS,CNAME, AAAA, MX"   To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:   To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry     owner: achalla
View full article
achalla ‎02-09-2018 04:50 AM
12,854 Views
5 Replies
1 Like
Overview This document describes how to view SSL Decryption Information from the CLI.   Details The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device: Show the list of ssl-decrypt certificates loaded on the dataplane > show system setting ssl-decrypt certificate Show the list of cached certificates loaded on the dataplane > show system setting ssl-decrypt certificate-cache Show the list of cached DNS entries > show system setting ssl-decrypt  dns-cache Show the list of cached servers excluded from decryption > show system setting ssl-decrypt exclude-cache Show the list of Global Protect cookies > show system setting ssl-decrypt gp-cookie-cache Show the list of HSM requests > show system setting ssl-decrypt hsm-request Show the SSL decryption memory usage > show system setting ssl-decrypt memory Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified everytime they browse to an encrypted site. > show system setting ssl-decrypt notify-cache Show URL rewrite statistics > show system setting ssl-decrypt rewrite-stats Show the list of cached sessions > show system setting ssl-decrypt session-cache Show ssl-decryption settings > show system setting ssl-decrypt setting   To display the count of decrypted sessions > show session all filter ssl-decrypt yes count yes Number of sessions that match filter: 2758   To view the decrypted sessions > show session all filter ssl-decrypt yes   To clear the decrypted sessions > clear session all filter ssl-decrypt yes   To reset the ssl-decrypt cache > debug dataplane reset ssl-decrypt <option> certificate-cache       Clear all ssl-decrypt certificate cache in dataplane certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane dns-cache                            Clear  ssl-decrypt DNS  cache exclude-cache                   Clear all exclude cache in dataplane hsm-cache                            Clear all ssl-decrypt HSM request in dataplane notify-cache                     Clear all ssl-decrypt notify-user cache in dataplane rewrite-stats                  Clear URL rewrite cache session-cache             Clear all ssl-decrypt session cache in dataplane   The following command checks for any SSL decryption related failures   >show counter global | match proxy proxy_process 1205 0 info proxy pktproc Number of flows go through proxy proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxy proxy_url_request_pkt_drop               266         0 drop       proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy proxy_timer_del_session_added       4  0 info     proxy pktproc   Number of timers added for deleting proxy host connection proxy_timer_del_sessions         4  0 info     proxy pktproc   Number of proxy host connections deleted due to timer proxy_proxy_host_not_connected    1 5  0 warn     proxy pktproc   Number of packets proxy_host tried to receive or transmit when not connected url_session_not_in_ssl_wait     40  0 error   url   system     The session is not waiting for url in ssl proxy  
View full article
nrice ‎11-08-2017 01:44 AM
37,374 Views
5 Replies
1 Like
Symptom Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.   Details The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.   Resolution   Panorama 6.1, 7.0, 7.1, 8.0 Check current logging status > show logging-status device < serial number > Start log forwarding with buffering, starting from last ack'ed log ID > request log-fwd-ctrl device <serial number> action start-from-lastack Verify if logs are being forwarded > show logging-status device <serial number> If logs are not being forwarded, do the following: Make sure that log forwarding is stopped > request log-fwd-ctrl device <serial number> action stop Start log forwarding with no buffering  (leave in this state for about a minute) > request log-fwd-ctrl device <serial number> action live Start log forwarding with buffering > request log-fwd-ctrl device < serial number > action start   Important! The alphabet characters in the serial number must be all upper case. For example: > request log-fwd-ctrl device 0000C123456 action live scheduled a job with jobid 12   If lower case characters are used, then the following error message is returned: > request log-fwd-ctrl device 0011c123456 action live Server error : failed to schedule a job to do log fwd ctrl from panorama to device 0000c123456   Confirm that the device policies are set with log action forward to Panorama. If the logging gets stuck, restart the log-receiver service with the following command: > debug software restart log-receiver Alternatively, restart the management server (which also restarts the log-receiver service) with the following command: > debug software restart management-server   On PAN-OS 7.0, 7.1 and 8.0 , please use the following command to restart the management server process: > debug software restart process management-server   owner: swhyte
View full article
npare ‎08-08-2017 02:52 AM
57,879 Views
14 Replies
2 Likes
 This article is deprecated.  All documentation is now available at http://pansplunk.readthedocs.io   Overview Splunk for Palo Alto Networks is a security reporting and analysis tool, and is the result of a collaboration between Palo Alto Networks and Splunk. This document describes how to configure Splunk for Palo Alto Networks, and covers most problems in configuring Splunk for the first time. Note: Download Splunk for Palo Alto Networks directly from the Splunk site at: http://apps.splunk.com/app/491/. Depending on the OS of the server that's running Splunk, follow the installation recommendations from the Splunk website.   If there are separate indexers and search head, install the application on all of them.   Steps On the Splunk Server: The Palo Alto Networks Next-generation Firewall uses udp/514 for syslog by default, but since this port is often used by other syslogs, we'll use udp/5514 in our examples. Choose any desired port. TCP and SSL syslogs are available in PAN-OS 6.0 and later.   Check the settings in the Splunk inputs.conf file and verify that no other configuration is using the UDP or TCP port you chose for syslogs from the firewall. Check the inputs.conf in the following directories: Note: See the "Configuration file precedence" section in the Splunk Enterprise Admin Manual for more on the way precedences are checked on Splunk. $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/ $SPLUNK_HOME/etc/system/local/ In the inputs.conf file, add the following configuration. For UDP syslogs, make sure to include the line no_appending_timestamp = true . [udp://5514] index = pan_logs sourcetype = pan_log connection_host = ip no_appending_timestamp = true Reset the Splunk service on the server running the Splunk for Palo Alto Networks app.   After configuring the data input, access and configure the app.   The first time running the app from the WebUI, a setup screen displays. You need the credentials only if you want to use the custom commands pantag, panblock, and panupdate . The WildFire API is required only for WildFire subscribers who want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. These credentials are stored in Splunk using encryption the same way other Splunk credentials are stored.   If you don't want to use these extra features, skip the setup screen by clicking Save. Go to Apps > Splunk for Palo Alto Networks. Add the appropriate username/password credentials for the Palo Alto Networks firewall and the WildFire API key. Note: After logging into the WildFire Portal for WildFire subscribers, access the WildFire API key under the account. Copy and paste the key into the WildFire API Key (see example).   On the Palo Alto Networks device: After completing setup on the Splunk site, set up the Palo Alto Networks device to send syslogs to Splunk. Go to Device > Server Profiles > Syslog. Configure the details for the Splunk server, including the UDP port (5514, for this example). Note: Do not set a Custom Log Format. The logs must be in the default format or Splunk won't parse them. Configure a logging mechanism on the firewall to use the syslog server. For example, configure a security policy rule with a Log Forwarding Profile that uses the Splunk syslog server. Or configure the firewall to log config or system events to the Splunk syslog server. Security policy rules are under Policies > Security. Other configurable syslog events are under Device > Log Settings.   Test the configuration The easiest way to test that everything is working is to configure the firewall to syslog all config events. Go to Device > Log Settings > Config and commit. Make any configuration change and the firewall produces a config event syslog. You don't have to commit the change for the syslog to be produced--any uncommitted change to the configuration produces a log. You can verify the log reached Splunk by going to the Splunk for Palo Alto Networks app, click Search in the navigation bar, and enter:       index=pan_logs sourcetype=pan_config   If Splunk is getting the syslogs from the firewall and parsing them correctly, then you'll see the config event syslogs show up here from the changes you made on the firewall configuration.   Troubleshooting Steps 1.  Check that all initial configuration is complete Verify inputs.conf is set up per the instructions above inputs.conf must have the line "no_appending_timestamp = true" Check the other inputs.conf configurations for other inputs using the same port Check that the firewall is not using a Custom Log Format (must use default) Check that the firewall is set to log something like system events, config events, traffic events, and so on. Check that the clocks on the firewall and Splunk server are the same.  If they are different, logs will not show up correctly. If using a TCP or SSL port for syslogs, try UDP instead first, then switch to TCP or SSL once UDP is working   2.  Verify logs are indexed Use the method described in Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click Search in the navigation bar, then enter:     index=pan_logs   If no logs show up, then the logs are not getting indexed correctly. Use these steps to find the problem: Verify the configuration from the Troubleshooting section above. Switch the search timeframe to All Time. If logs show up, verify the timestamp is correct on the logs. If time is wrong, check that the clocks on the Splunk server and firewall are the same. Use tcpdump or Wireshark on the Splunk server to verify the logs are actually reaching it. Also, verify that the pan_logs index exists.   3. Verify logs are parsed correctly Use the method described above in the section Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click 'Search' in the navigation bar, and enter the following search:     index=pan_logs sourcetype=pan_config   If logs showed in step 2, but no logs show up now, then try sourcetype=pan_logs instead of sourcetype=pan_config .  If the logs start showing up after that change, then the logs are not getting parsed correctly: Check that you are not using a Custom Log Format in the syslog server setting on the firewall. Check that the inputs.conf file is configured with the line "no_appending_timestamp = true" If you're using a third-party syslog forwarder between the Palo Alto Networks device and Splunk, verify the forwarder isn't modifying the logs.   4.  Check acceleration and summary indexing Check that the dashboards are populating with data. The Overview dashboard doesn't use acceleration, so it should work at this point. If it doesn't show data, then go back to troubleshooting. For all the other dashboards, after 5-8 minutes of syslogging to the Splunk server, the dashboards should populate with data. If the dashboards are populating, then acceleration and summary indexing are working. If not, check the following:   App Version 4.0 and earlier:   Uses TSIDX for acceleration. Verify that saved searches for log collection are in the savedsearches.conf file. Check that they haven't been changed or overwritten.   App Version 4.1 and later:   Uses Data Model for acceleration. Check acceleration settings in the data model under Settings > Data Model > Palo Alto Networks Logs, then edit the Acceleration settings and verify they are enabled for a reasonably large timeframe. Click the arrow next to the Palo Alto Networks logs data model and check data model build percentage. It should be 100% or very close to it. If the build percentage is stuck at less than 90%, the cause might be limited resources on the Splunk server being consumed by other apps. Check if Splunk CIM or Splunk ES apps are running on the Splunk server. If they are, try disabling both apps, and see if the build percentage increases over 90%. If it does, open a case with Splunk support to report the resource contention issue between the apps and get advice on how to proceed.   owner: ialeksov
View full article
ialeksov ‎05-19-2017 07:00 AM
63,343 Views
6 Replies
2 Likes
Overview: This document demonstrates how to configure the Palo Alto Networks Firewall to send SNMPv3 Traps. The SNMPv3 trap receiver used in this exampe is 'snmptrapd' running on Ubuntu.   Steps In the following example, the firewall has IP: 172.17.128.23 and the SNMPv3 Trap receiver has IP: 172.17.128.17. To setup SNMPv3 polling.  Go to Device > Setup > Operation > SNMP Setup, then click "v3". All passwords set to 'paloalto'. The polling setup does not need the engineID. However, polling configuration is necessary to retrieve the engineID from the device which is used in the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap. Once the device starts responding to SNMPv3 GETs/Walks, an SNMPv3 GET needs to be issued against the device for the OID 1.3.6.1.6.3.10.2.1.1.0.  This GET should respond with the engineID (in HEX). Issue an SNMPv3 GET against the OID 1.3.6.1.6.3.10.2.1.1.0 to retrieve the engineID $ snmpget -v 3 -u test -l authPriv -a SHA -A paloalto -x AES -X paloalto 172.17.128.23 1.3.6.1.6.3.10.2.1.1.0 iso.3.6.1.6.3.10.2.1.1.0 = Hex-STRING: 80 00 1F 88 04 30 30 30 30 30 34 39 35 32 36 30 37 The engine ID retrieved above is : 0x80001f8804303030303034393532363037 (Hex) Once the backend SNMPv3 Trap receiver is configured, complete the SNMPv3 Server profile setup. Configure the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap: All passwords set to 'paloalto'. The engineID retrieved in Step #2 is required to configure the SNMP Trap Server profile.            4. Assign the SNMP Trap profile created in Step #3 to the relevant logs needed to be forwarded as Traps. For example, configure System log to be sent out as Traps. To do so, navigate to Device > Log Settings > System:        5. To Verify For verification, the SNMPv3 Trap receiver used is snmptrapd running on a linux system. The user 'traptest' used in Step #4 needs to be created in the trap receiver configuration file: ~$ cat /tmp/snmptrapd.conf createUser -e 0x80001f8804303030303034393532363037 traptest SHA paloalto AES paloalto authuser log traptest Now, snmptrapd is started using the configuration file created above: ~$ sudo snmptrapd -f -C -c /tmp/snmptrapd.conf -Le A system log is generated as follows: Its corresponding SNMPv3 trap recorded on the Linux machine as follows: 2013-01-29 06:49:45 172.17.128.23 [UDP: [172.17.128.23]:34722->[172.17.128.17]]: iso.3.6.1.2.1.1.3.0 = Timeticks: (33979763) 3 days, 22:23:17.63 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.25461.2.1.3.2.0.600        iso.3.6.1.4.1.25461.2.1.3.1.2 = STRING: "2013/01/29 06:49:46"   iso.3.6.1.4.1.25461.2.1.3.1.3 = STRING: "0009C101956"        iso.3.6.1.4.1.25461.2.1.3.1.4 = STRING: "SYSTEM"        iso.3.6.1.4.1.25461.2.1.3.1.5 = STRING: "general"       iso.3.6.1.4.1.25461.2.1.3.1.7 = ""      iso.3.6.1.4.1.25461.2.1.3.1.8 = STRING: "40867" iso.3.6.1.4.1.25461.2.1.3.1.9 = STRING: "0x0"        iso.3.6.1.4.1.25461.2.1.3.1.300 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.301 = ""    iso.3.6.1.4.1.25461.2.1.3.1.302 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.303 = STRING: "informational"    iso.3.6.1.4.1.25461.2.1.3.1.304 = STRING: "User admin accessed Monitor tab"   owner: achitwadgi
View full article
goku123 ‎05-10-2017 02:42 PM
21,696 Views
3 Replies
2 Likes
Overview PAN-OS 6.0 introduced the ability to capture more than a single packet (up to 50) for threats that are logged on the Palo Alto Networks firewall. Extended Packet Capture can be useful for: Determining if an attack is successful Learning more about the methods used by the attacker Validating maliciousness of traffic with more context Note: Extended Packet Capture is only available on Anti-Spyware and Vulnerability profiles.   Steps Go to Device > Setup > Content-ID and edit Threat Detection Settings. Configure the amount of packets you would like to capture (max. 50 Packets) : Go to Objects > Security Profiles > Vulnerabilities Protection. Enable "extended-capture" mode for Packet Capture on a vulnerability protection profile: Note: This screenshot shows how to create a policy that will collect extended captures for any vulnerability which is an example. You can edit your more granular policy and enable extended captures only for particular level of severity. If you need to enable extended captures for only one vulnerability, please read this article. Apply this profile on a Security Policy. It is also possible to change the logdb quota (max. 90% quota) for Extended Packet Capture: Important: If the "action" of the profile is set to block, only a single packet will be captured.   owner: rvanderveken
View full article
rvanderveken ‎10-13-2016 02:34 AM
8,181 Views
1 Reply
1 Like
Details In order to email alerts for system logs, the steps below have to be followed: Create E-mail Server Profile. Go to Devices > Log Setting - System to setup email alerts.   Email Server Profile Go to Device > Server Profile > Email, click Add and fill the required fields (as per the example below): Name: Enter a name for the email settings. Server: Enter a name to identify the server (1-31 characters). Display name: Email Server. From: Enter the From email address. To: Enter the email address of the recipient. Cc: Optionally, enter the email address of another recipient. Gateway: Enter the IP address or host name of the Simple Mail Transport Protocol.   Log Setting - System Logs Go to Devices > Log Setting > System. Select the severity of the system log for which email alerts have to be configured. In this case, only severity = critical system logs are being configured to be sent through email. Once clicking on the severity, select the email profile configured from the dropdown for email.   See Also For more information about configuring Email alerts, which includes a way to test the email and configure system logs based on severity, please see: How to Configure Email Alerts   owner: mvenkatesan
View full article
mvenkatesan ‎08-30-2016 02:09 PM
41,305 Views
12 Replies
Summary This document illustrates the steps for configuring a Palo Alto Networks PAN-OS gateway running PAN-OS 7.1 to forward logs to a syslog receiver in the LEEF format. LEEF format schemas are provided for Traffic, Threat, Config, System, and HIP Match Logs. Correlation logs are not covered in this document.   WebUI Configuration Steps   1. (Optional) To configure the device to send its IPv4/IPv6 address or hostname instead of FQDN in the generated logs, select Device > Setup > Management > Logging and Reporting Settings. In the Log Export and Reporting tab, click on the Syslog HOSTNAME Format dropdown to pick the preferred identification method.      2. Select Device > Server Profiles > Syslog and specify a new Syslog Server profile name. Proceed to click on Add to specify a Syslog server name, IP address, transport method (TCP or UDP), port (e.g. 514), format (BSD or IEEE), and facility (e.g. LOG_LOCAL0).      3. Click on the Custom Log Format tab and pick one of the specified log types (Config, System, Threat, Traffic, and HIP Match) to define a LEEF log format for the given type.     Traffic log LEEF format: LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|cat=$type|ReceiveTime=$receive_time|SerialNumber=$serial|Type=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|totalBytes=$bytes|dstBytes=$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start|ElapsedTime=$elapsed|URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_sent|SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|ActionSource=$action_source Threat log LEEF format: LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|Cloud=$cloud|URLIndex=$url_idx|UserAgent=$user_agent|FileType=$filetype|identsrc=$xff|Referer=$referer|Sender=$sender|Subject=$subject|Recipient=$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name Config log LEEF format: LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|src=$host|VirtualSystem=$vsys| msg=$cmd|usrName=$admin|client=$client|Result=$result| ConfigurationPath=$path|sequence=$seqno|ActionFlags=$actionflags| BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after-change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name  System log LEEF format: LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$eventid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|subtype=$subtype|devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|Filename=$object| Module=$module|sev=$number-of-severity|Severity=$severity|msg=$opaque| sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name  HIP Match log LEEF format: LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$matchname|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|usrName=$srcuser|VirtualSystem=$vsys|identHostName=$machinename|OS=$os|identsrc=$src|HIP=$matchname|RepeatCount=$repeatcnt|HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name   4. Commit your updated configuration for the changes to take effect.  
View full article
vdavar ‎08-18-2016 03:10 PM
7,523 Views
3 Replies
PAN-OS 5.0 and later   Overview This document describes how to change the zone name on Panorama and push the updates to the managed firewalls without running into commit errors. If there are no policies referencing the zone, then the name can be changed directly on the template and committed without errors. However, this document covers a scenario where the zone requiring the name change is currently applied in one or more security policies. Note: Panorama OS: 5.0 and later   Details As an example scenario, the test_zone zone needs to be renamed to test_zone_1. The following image shows the original zone: Here is a policy referencing test_zone:   If the administrator directly modifies the zone name and issues a template commit, the commit fails with the error: Last Push State Details Details: rulebase -> security > rules > test_rule -> from 'test_zone' is not an allowed keyword rulebase -> security > rules > test_rule -> from 'test_zone' is not a valid reference   Steps The following prerequisites should be met before continuing with the zone name change: Device is connected to the panorama and is part of a template There are policies associated with the zone name and are already pushed to the device   The steps below will use the sample scenario described earlier in this document. Rename the existing test_zone zone to test_zone_1 . This will cause the name change to automatically occur for the policies referencing the zone. Add a new zone with the old zone name ( test_zone ). This step is required so that we don't run into commit issues due to policy dependency on the device. At this point, the config should look like this: Issue a Panorama commit. Issue a template commit. Issue a device group commit. Once the commit is successful, delete the 'test_zone' zone, and then perform another panorama commit, template commit and a device group commit. This procedure will only work as listed above if the zone and interface configuration are both managed through a template on Panorama     See also Is There an Impact on Active Sessions when Changing the Name of a Zone?   owner: sdarapuneni
View full article
zarina ‎05-24-2016 03:26 AM
11,290 Views
7 Replies
2 Likes
Issue After upgrading Panorama to PAN-OS 7.0, the ACC (Application Command Center) Summary data is no longer being populated.   Cause In PAN-OS 7.0, the ACC uses summary data rather than appstats data.   Prior to PAN-OS 7.0, the appstat data was forwarded to Panorama to populate the ACC, even if logs were not explicitly configured to forward.   Resolution Under the new system, managed firewalls need to be running PAN-OS 7.0, as well as Panorama. The datasource can then be changed to the remote device. If a managed firewall is a pre PAN-OS 7.0, then log forwarding must be turned on. If you would like to view ACC log source as "Panorama" and not "Remote Device" then log forwarding must be turned on.    
View full article
jperry1 ‎05-13-2016 02:24 PM
4,003 Views
0 Replies
1 Like
PAN-OS 6.0, 6.1, 7.0   Overview This document is for customers who use Panorama for log collection and want to forward logs to a third-party Syslog Server or SIEM system from Panorama. The alternative is to forward logs via syslog from each firewall individually.   This scenario assumes logging has have been configured on the firewalls to forward to Panorama and Panorama is receiving the traffic, threat, and system logs as configured. If the firewalls have not been configured to forward logs to Panorama, please refer to the following document: How to Create a Profile to Forward Logs to Panorama   Steps To create a Syslog Server Profile, go to Panorama > Server Profiles > Syslog and click Add: Assign the Syslog Server Profile: For Panorama running as a virtual machine, assign the Syslog Server Profile to the various log types through Panorama > Log Settings > Traffic > Device Log Settings - Traffic > Syslog. Each log type can be configured individually as shown below. After defining Syslog Server Profiles, designate the corresponding log types. For an M-100, assign the Syslog Server Profile to the various log types through Panorama > Collector Groups > Collector Group > Collector Log Forwarding > Traffic > Syslog.                        Optionally, multiple collectors can be added under "Collector Group Members".             By default, the local Log Collector on the primary Panorama is pre-assigned to the default Collector Group                 3. Perform a "Panorama" commit followed by a "Log collector" commit.   NOTE: On current version of PAN-OS PA-7000 series devices do not forward logs to Panorama, these devices would need to be configured to send syslog via their Log interface.    owner: dbraswell
View full article
DavePATS ‎05-13-2016 12:58 PM
20,622 Views
2 Replies
2 Likes
Details To schedule an FTP export: Go to Device > Schedule Log export and create a log export profile for any logs. Name: Enter the name of scheduled log-export profile and enable it. Then select FTP and provide a username:   To schedule an SCP export: Go to Device > Schedule Log export and create a log export profile for any logs. Name: Enter the name of scheduled log-export profile and enable it. Then select SCP and provide a username.   Select the type of logs to be exported: Select the Scheduled Export start time from the list. Host Name: Enter the FTP or SCP sever IP address Port: By default, FTP uses 21 and SCP uses 22 Username and Password for the access to the FTP or SCP server. Also, an option to check the Test SCP server connection, as shown: Apply the same steps for all logs and click OK. Commit the configuration.     note: Because the log database is too large for an export or import to be practical on the following platforms, they do not support these options: PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases).     owner: ppatel
View full article
ppatel ‎04-21-2016 07:29 AM
12,200 Views
4 Replies
PAN-OS 6.0   Details This document describes how to setup log forwarding from Log Collector in logger mode to Syslog Server. An M-100 log collector is always managed by a Panorama managment server. The Panorama managment server can either be a VM or an M-100 in Panorama mode.   To access the Panorama Management server, perform the steps outlined below: Create a Syslog Profile, go to Panorama > Server Profiles > Syslog, click Add and create a syslog profile, as shown below: Add a Collector Group, go to Panorama > Collector Groups and click Add. There are four tabs in the Collector Group window, but for this configuration go to Collector Log Forwarding. For details on adding devices to Collector Group and adding collectors to the group, please refer to this document How to Configure an M-100 to Function as Both a Log Collector and Panorama. The Syslog Server profile can also be associated with Config, HIP Match, Traffic, Threat and WildFire. After the above step is done, proceed with the commit. First commit the changes to Panorama and then commit to the Collector Group. This is shown in the screenshot below.            owner: sodhegba
View full article
sodhegba ‎04-20-2016 02:17 AM
11,865 Views
4 Replies
2 Likes
Details To generate a traffic report applying filters on the CLI, use the following command: > show log traffic query equal <value>   For Example: > show log traffic query equal "(port.dst eq 443) or (port.dst eq 53) or (port.dst eq 445) and (action eq allow)"   Example with start and end times: > show log traffic start-time equal 2013/07/18@13:12:19 end-time equal 2013/08/21@00:00:00 query equal "(port.dst eq 443) or (port.dst eq 53) or (port.dst eq 445) and (action eq allow)"   Sample output:   To determine the query string for a specific filter, follow the steps below: On the WebGUI, create the log filter by clicking the 'Add Filter' icon. Build the log filter ac cording to what you would like to see in the re port. For this example, we are generating traffic log report on port 443, port 53, and port 445 with action set to allow. The filter string will appear on the filter bar as shown in the screenshot below: owner: sodhegba
View full article
sodhegba ‎09-13-2015 03:09 PM
9,959 Views
0 Replies
Overview This document describes how to hide IP addresses in the Application Command Center (ACC) and Logs (Traffic/Threat/URL filtering and Data filtering). This feature can be used in environments where IP addresses need to be masked for certain administrators for compliance reasons.   Steps Create an Admin Role Profile to disable two Privacy Settings Show Full IP Addresses Show User Names In Logs and Reports   2. Create an administrator and assign that profile to that administrator   To verify: When logged in as super user, all the IP addresses in ACC and logs are visible, as shown in the ACC example below:   Traffic logs, as shown below:   When logged in as 'kadak', IP addresses in ACC and logs are populated in the form of subnets, as shown in ACC example below:   Traffic logs, as shown below:   owner: kadak
View full article
kadak ‎09-11-2015 02:36 AM
4,979 Views
0 Replies
Palo Alto Networks firewalls can be configured to send SNMP messages based on the severity associated with the event but not specific events. Example of Failover System messages: HA State changes are Informational severity events so in order for those messages to be sent to the SNMP server, the firewall needs to be configured to forward Informational severity messages. Note: This does imply that all informational messages will be sent to the SNMP server, not only the failover messages. It will be up to the SNMP server to filter the messages and alert only when an HA state change happened.   To enable SNMP forwarding of Informational messages, Create an SNMP trap server profile and use this SNMP trap server under the system log settings as shown below:   Create the SNMP Trap Server provile (Device > Server Profiles > SNMP Trap) Configure log settings to use SNMP (Device > Log Settings > System)   owner: kprakash
View full article
kprakash ‎09-03-2015 04:04 AM
5,716 Views
0 Replies
PAN-OS 6.1   Overview HTTP header logging was introduced in PAN-OS 6.1. This document explains how to enable the HTTP header logging and how to track URLs accessed by individual users in the network.   Steps Configure a URL Filtering Profile under Objects > Security Profiles. Configure necessary actions for each respective category. Navigate to settings in the URL filtering profile and enable User-Agent, Referer, X-Forwaded-For checkboxes under HTTP Header Logging. Create a security policy for traffic of interest. Under Profile Settings, call the configured URL Filtering Profile and select OK. Commit the configuration. Navigate to Monitor > Logs > URL filtering. Use the filter to select the source user. Note: The referrer field will list out the URLs visited by the end user. The individual log will look like this: Under HTTP header, use the referrer field to get the actual URLs each user accessed.   owner: skumar1
View full article
skumar1 ‎09-01-2015 02:10 PM
11,048 Views
1 Reply
Details By default, traffic blocked by the Palo Alto Networks firewall implied block rule at the bottom of the security policies is not logged.   To log this traffic, add an explicit block rule (see example) and place it at the bottom of the policies list. Example: src zone: trust dst zone: untrust src address: any src user: any dest addr: any application: any service: any action : deny profile: none options: default   Note:  Make sure to explicitly choose zones on this type of rule. Choosing any/any for the source and destination zones may cause some undesirable behavior in the network.   For testing, to temporarily log the implied block rule, issue the following command: > set system setting logging default-policy-logging <value>  (Value is 0-300 seconds) owner: bryan
View full article
panagent ‎09-01-2015 06:24 AM
7,283 Views
0 Replies
Forwarding System logs to a syslog server requires three steps: Create a syslog server profile. Configure the system logs to use the Syslog server profile to forward the logs. Commit the changes. Syslog Server Profile Go to Device > Server Profiles > Syslog. Name: Name of the syslog server Server : Server IP address where the logs will be forwarded to Port: Default port 514 Facility: To be elected from the drop down according to the requirements   System Log Settings Go to Device > Log settings > System. Select the syslog server profile that was created in the above step for the desired log-severity.   Once the server profile is selected, the system log settings for syslog server appear as follows:   Commit the configuration.   owner: ppatel
View full article
ppatel ‎08-27-2015 12:34 PM
13,407 Views
0 Replies
The Log Link feature provides links from log data to external systems (for example, trouble-ticketing, PCAP collections systems, security scanning, and so on). The links show up at the bottom of the log detail page in the log viewer, and they open the constructed URL in a new browser window.   Information of the log available for use in constructing the link URL: src - source IP address dst - destination IP address sport - source port dport - destination port proto - protocol recvtime_YYYY - year of receive time recvtime_MM - month of receive time recvtime_DD - day of receive time recvtime_hh - hour of receive time recvtime_mm - minute of receive time recvtime_ss - second of receive time elapsed - elapse time (session time in seconds. available for traffic log only, "" otherwise) direction - client-to-server or server-to-client (available for threat, data filtering and URL log only, "" otherwise) suser - source user duser - destination user szone - source zone dzone - destination zone ingress - ingress interface egress - egress interface   To enable the log link feature, use the following CLI commands: # set deviceconfig system log-link VirusTotal.Src url https://www.virustotal.com/en/ip-address/ {src}/information # set deviceconfig system log-link VirusTotal.Dst url https://www.virustotal.com/en/ip-address/ {dst}/information Example URL: https://www.virustotal.com/en/ip-address/91.220.163.35/information/   Running the above commands using the example URL creates 2 log-links to VirusTotal in the Log Details window (one for the source IP and one for the destination IP): Multiple links can be set and all show up at the bottom of the log detail window.   Note: The log link configuration is not synchronized between device pairs in a High Availability (HA) environment. Therefore, log link configuration must be manually performed on both Active and Passive boxes.   owner: mjacobsen
View full article
mjacobsen ‎08-26-2015 05:42 PM
16,762 Views
10 Replies
PAN-OS 6.0   Details This document demonstrates how to configure the Palo Alto Networks firewall running PAN-OS 6.0 to send SNMPv2 traps for WildFire logs.   Steps Configure an SNMP Trap Server Profile under Device > Server Profiles > SNMP Trap and click Add Server - Specify a name for the SNMP trap destination name (up to 31) Manager - Specify the IP address of the trap destination Community - Specify the community string required to send traps to the specified destination (default public) Configure Physical Location and Email address under Device > Setup > Operations > SNMP Setup for version V2c Physical - Location that will specify the physical location of the firewall Contact -  Enter the name or email address of the person responsible for maintaining the firewall Configure the Log Forwarding Profile for WildFire Settings under Objects > Log Forwarding Under the WildFire Settings, select the SNMP trap server profile created above for both Benig n and Malicious verdicts Click OK and commit owner: kadak
View full article
kadak ‎08-21-2015 08:54 AM
4,046 Views
0 Replies
Summary When the firewall is added to a Panorama for management, the administrative users can connect to the firewall with changing the context on the Panorama. From there, all the changes can be done the same way as when the user is locally connected to the Firewall. Usually there is a concern that when a change is made from the Panorama via the context change, the user that makes the change will not create a audit trail and the change can not be tracked. On the Palo Alto devices, there is always a correct audit trail and this is true even in these scenarios when the changes are “proxyed” via the Panorama. If a user changes a configuration on a firewall context from the Panorama we will see the Panorama logged user as the user who made the change. Details Log in with a user other than an admin user on the Panorama. Make sure that the user has rights to make changes to the given firewall. Verify the user has rights to make changes to the given firewall. In this case, the user is called "emea" and is a RADIUS user. Change the context to point to the firewall where the change is needed. Make a change on the firewall. Navigate to Config Audit on the firewall itself and verify that the change is properly done and the user who made it is properly identified as the "emea" user. owner: ialeksov
View full article
ialeksov ‎11-21-2014 01:15 PM
4,610 Views
0 Replies
PAN-OS 6.0 Details Sometime it requires that traffic and threat logs are forwarded to Panorama and a syslog server. When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider reducing the number of log streams that are sent over the link. When Palo Alto Networks firewalls are configured to forward traffic and threat logs to Panorama and syslog server separately, this can cause issues with the link especially when there are several firewalls. For example, see on the diagram below that with separate profiles configured on the firewalls for log forwarding to Panorama and syslog server, Fig I will be the result: However, the firewalls can be configured to forward these logs to Panorama only while the syslog profile is created in Panorama to forward the traffic and threat logs to the syslog server. This is represented by Fig II, as shown below: Prior to PAN-OS 6.0, only configuration and system logs could be forwarded from Panorama to a syslog server. On Panorama running PAN-OS 6.0, in addition to configuration and system logs; threat, traffic, HIP Match and WildFire logs can be forwarded from Panorama to a syslog server. Steps To configure Panorama to forward threat and traffic to syslog server, follow the steps below: Create the Syslog Server Profile, go to the Panorama Tab under Server Profile Go to Device Log Settings - Traffic and click on the Log Type desired to forward to the syslog server Select the profile that was created in the first step under Syslog, as shown in the screenshot below: With this configuration, firewalls will forward logs to Panorama, assuming that log forwarding was configured correctly on the firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams significantly. owner: sodhegba
View full article
sodhegba ‎07-07-2014 11:55 PM
7,187 Views
2 Replies
Issue Connectivity to the User-ID Agent from the firewall is down. The following e rror is observed on system logs: SSL error: error:00000000:lib(0):func(0):reason(0)(0) The same error is also observed on the CLI: > show user user-id-agent state all The following error is observed in User-ID Agent error logs: [Error 3039]: Device thread 1 SSL accept error: 5-10054! Details Configuration scenario An interface other than the Management Interface is configured (Device > Setup > Services > Service Route Configuration > IPv4 tab) for "UID Agent" or the management traffic does a "piggy back" and traverses data ports on the firewall. The traffic traverses the firewall using a security policy. The security policy uses an URL Filtering Profile. For example: The URL Filtering Profile has an action of "block" for category "private-ip-addresses". Troubleshooting View the Monitor Traffic logs and click on the magnifying glass for the traffic between the firewall's IP used for "UID Agent" and the User-ID agent's IP. In the screenshot below, notice the "block-url" action with Category of "private-ip-addresses" and URL of "user-id/": Resolution Configure an URL Filtering Profile for the "private-ip-addresses" URL Category with an action that is not "block", or create an exception for URL "user-id/". Both methods are applied (add user-id/ to allow list and change action for private-ip-addresses from block to alert) in the following example, but only one is required. owner: mivaldi
View full article
mivaldi ‎06-18-2014 03:38 PM
9,488 Views
0 Replies
Pre PAN-OS 7.0 Overview There are two default rules on the Palo Alto Networks firewall regarding security policies: Deny cross zone traffic Allow same zone traffic By default, traffic that hits default policies will not get logged into traffic logs. Sometimes, troubleshooting traffic is required when it has the same source and destination zone, or see what traffic is being denied by the default rules before allowing the traffic.  To temporarily log the implied block rule, issue the following command: > set system setting logging default-policy-logging <value>   (Value is 0-300 seconds) Note: Beginning in PAN-OS 6.1, the two default policies are now displayed with a green background under Policies > Security. Now rule matches intrazone traffic, interzone traffic, or both (called universal).  PANOS New Features Details There are a few ways to see the traffic in the traffic logs: For Same Zone Traffic Go to Policies > Security and create security policies that allow traffic sourced and destined for the Same Zone as the example below indicates: For Cross Zone Traffic Go to Policies > Security and create an open rule that allows the crossing of the zones wanted in order to see the traffic. Important:  It may not be desired to allow all Untrusted traffic into the Trusted zones of the network, as the above policies indicate since the goal is to keep the network secure. Therefore, using a Deny All policy would log off all traffic that is not allowed by the policy, in a clean up rule as denied, to see what rules would need to be specifically created without allowing it initially. The following point is an example of a Deny All policy. Deny All The example shown below indicate specifically allowing only GlobalProtect in from the outside. It would allow all trust and DMZ traffic out, all internally trusted cross traffic and allowing for Same Zone traffic when using a Deny All policy. Any traffic that does not match the policies above the Deny All rule will get caught by the Deny All policy and logged as denied. See the denied traffic in the traffic logs and view traffic that would specifically need to be allowed according to the traffic logs of what is denied, without allowing anything new into the network and compromising the network with unwanted traffic. Note: Creating a Deny All policy will override the default policy that allows Same Zone traffic. For more information, review the following document: Any/Any/Deny Security Rule Changes Default Behavior. Post PAN-OS 7.0 Starting from PAN-OS 7.0 intrazone and interzone security policy has been made visible in the security policy and can be edited to enable logging owner: glasater
View full article
glasater ‎04-21-2014 11:30 AM
29,074 Views
2 Replies
1 Like
Overview When a user enables bandwidth management on mobile Chrome, the application establishes an SSL tunnel on port 80 to Google servers. Therefore, the requests made by the client cannot be filtered by Palo Alto Networks devices. Resolution In order to overcome this, the administrator can add check.googlezip.net/connect to the block list. With this in place, the mobile browser app will stop using encrypted tunnel and the Palo Alto Networks device will be able to filter the content. To add the URL to block list: Go to Object > Security Profiles > URL Filtering Choose the applicable profile (the one that is used on security rule allowing traffic from mobile devices) and add the URL check.googlezip.net/connect to the Block List owner: rwelgarz
View full article
RafalWeglarz ‎04-19-2014 05:56 AM
5,990 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community