Reporting Question

Reply
Not applicable

Reporting Question

Hi Folks,

We are about to go through an internal audit and it has been requested that I produce a report about the threats that have attempted to come through out PA-5020, how many were blocked and confirmation that it was indeed blocked.

is there a report that does that already or will it need to be custom?

thanks!!

L5 Sessionator

Re: Reporting Question

Navigate to Monitor--Manage custom reports--click on add--click on Load templates which is on the top left hand corner and you can load the template which says Top Threats.Modify the time frame and then create a report for threats.

L5 Sessionator

Re: Reporting Question

There is one more way of doing it i.e Navigate to Monitor- Reports on the right hand corner click on threat reports --select the report and the date

L4 Transporter

Re: Reporting Question

There are severe limitations to the reporting functionality. You can only report the top 500 at the most, so if you need to go back a long time, it is not possible. From your post I assume that you are trying to get basically 2 reports. One would be for all threats, and one for blocked or other actions taken on threats - or perhaps you want them all in one In order to see the action that was taken, you need to use the Threat Log not the summary, as it does not allow you to see what action was taken. In the Query builder you can define/filter the Actions that were taken to the threats by any of the values that are defined.

L6 Presenter

Re: Reporting Question

The only way is "Threat Log" I think.Query for block and see how past you'll see.

if you have panorama, then you are lucky.

L4 Transporter

Re: Reporting Question

There's one big solution that I haven't seen mentioned here yet... the best part is it's free (well, the cost of the hardware to run it on and the time to set it up are the only expenses).

Set up something like ELSA and send your logs from your PA to it!

https://code.google.com/p/enterprise-log-search-and-archive/

ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.

Features:

  • High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained)
  • Full Active Directory/LDAP integration for authentication, authorization, email settings
  • Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets
  • Dashboards using Google Visualizations
  • Email alerting, scheduled reports
  • Plugin architecture for web interface
  • Distributed architecture for clusters
  • Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare

I would even go so far as to offer to help you build a parser/normalizer for Palo Alto firewall events

L4 Transporter

Re: Reporting Question

egearhart-

That looks very interesting - I hadn't come across that before. How long did it take you to get it set up and working properly, and getting the data you wanted with you PA? Are you using this with your switch infrastructure also? Thanks for the information!

L4 Transporter

Re: Reporting Question

I have not built an ELSA myself (yet), but I often look for open source solutions to problems that I've had in the past when I worked under a shoestring budget (or a nonexistant budget!)

I built an rsyslog/phplogcon box at a previous employer I worked for who had basically no budget, but if I had the opportunity to "do over" that implementation and ELSA was around, I would have at least taken a hard look at ELSA.

Unfortunately where I currently work we use a commercial centralized log / SIEM solution that works great for us (and that we've invested a lot of time into), and our PAs log to that. My suggestion was the "on the cheap" way of getting near commercial value out of an open source solution to the same problem.

Highlighted
Not applicable

Re: Reporting Question

You might consider using the CSV export option from the Threat Log.  That would provide a much greater amount of data due to the number of rows you would be able to export.  You could then use that data to build a report outside of PAN-OS.

- Jared Davis

L6 Presenter

Re: Reporting Question

PA also uses CSV format on its syslog.

So another workaround might be to just output THREAT-type logs into a dedicated syslogserver (for example running ELSA or such, or just store in gzipped plain format for later analysis) - in case the built in reporting engine within the PA box isnt sufficient.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!