We are about to go through an internal audit and it has been requested that I produce a report about the threats that have attempted to come through out PA-5020, how many were blocked and confirmation that it was indeed blocked.
is there a report that does that already or will it need to be custom?
Navigate to Monitor--Manage custom reports--click on add--click on Load templates which is on the top left hand corner and you can load the template which says Top Threats.Modify the time frame and then create a report for threats.
There are severe limitations to the reporting functionality. You can only report the top 500 at the most, so if you need to go back a long time, it is not possible. From your post I assume that you are trying to get basically 2 reports. One would be for all threats, and one for blocked or other actions taken on threats - or perhaps you want them all in one In order to see the action that was taken, you need to use the Threat Log not the summary, as it does not allow you to see what action was taken. In the Query builder you can define/filter the Actions that were taken to the threats by any of the values that are defined.
There's one big solution that I haven't seen mentioned here yet... the best part is it's free (well, the cost of the hardware to run it on and the time to set it up are the only expenses).
Set up something like ELSA and send your logs from your PA to it!
ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.
I would even go so far as to offer to help you build a parser/normalizer for Palo Alto firewall events
That looks very interesting - I hadn't come across that before. How long did it take you to get it set up and working properly, and getting the data you wanted with you PA? Are you using this with your switch infrastructure also? Thanks for the information!
I have not built an ELSA myself (yet), but I often look for open source solutions to problems that I've had in the past when I worked under a shoestring budget (or a nonexistant budget!)
I built an rsyslog/phplogcon box at a previous employer I worked for who had basically no budget, but if I had the opportunity to "do over" that implementation and ELSA was around, I would have at least taken a hard look at ELSA.
Unfortunately where I currently work we use a commercial centralized log / SIEM solution that works great for us (and that we've invested a lot of time into), and our PAs log to that. My suggestion was the "on the cheap" way of getting near commercial value out of an open source solution to the same problem.
You might consider using the CSV export option from the Threat Log. That would provide a much greater amount of data due to the number of rows you would be able to export. You could then use that data to build a report outside of PAN-OS.
- Jared Davis
PA also uses CSV format on its syslog.
So another workaround might be to just output THREAT-type logs into a dedicated syslogserver (for example running ELSA or such, or just store in gzipped plain format for later analysis) - in case the built in reporting engine within the PA box isnt sufficient.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!