After configuring the firewall, enabling security policies and profiles, you can sit back and focus on other tasks, knowing that your network is secure. A good way to keep that peace of mind without constantly checking logs and searching for anomalies is to use scheduled reports to keep you posted on everything happening in your network.
Take a look at the video, then follow along step-by-step to configure your own custom reports.
Several Pre-Defined Reports are already set up for your convenience; these start creating usable report data the moment the Palo Alto Networks firewall is switched on and put into the network. In case some of these reports are not useful, you can disable and replace them with custom reports.
When you start creating a custom report, one of your first choices is which database to use for your report. You'll notice there are two groups to choose from, Summary and Detailed, each containing similar types of logs.
The Summary Databases are optimized databases that collect summarized data from the log files every 15 minutes, every hour, every day, and every week, allowing reports to be created quickly. The Detailed Logs allow you to crawl the log files in search of very specific data, but take longer to generate.
A difference between the Summary and Detailed URL database, for example, is that the Summary Database can report which categories and domains were accessed x number of times, while the Detailed Log can report exact URLs accessed from a certain source.
For most reports, we recommend using the Summary Databases.
After selecting the database to create your report, enable the schedule and set a timeframe. An unscheduled report can be run only manually, but allows smaller timeframes, while a scheduled report, which generates and stores reports historically, can be configured to automatically email a daily, weekly or monthly report.
If you'd like to take a look at some sample reports, you can Load a Report Template from the predefined reports, which you can then customize. Start by loading the Top Applications template:
The Selected Columns and Database are automatically loaded from the template, you need only to change the Name and Time Frame.
If you click the Run Now button, a sample report is generated.
If you head back to the Report Settings, you can add more details to the report by adding the 'Threats' column, changing the 'Sort By' to Threats and gouping the data by Day.
If you click the Run Now button again, the report will have a completely different look: the detected threats per application are reported, the data is grouped per day, and sorted from most threats to least.
You can also use the Query Builder to tune the report a little further. If you want to filter out DNS and portmapper from the report, youcan create a filter for application not equal to dns and portmapper.
The report will now no longer contain these applications.
If you go ahead and click OK and Commit, the report will be added to the scheduled reports jobs that run every night and become available in the custom reports viewer:
After you've created a few of these reports, you can go ahead and add them into a report group.
The report group can then be added to an Email Scheduler so it is automatically mailed to you and your coworkers.
If you haven't created an Email Server Profile before, it should look somewhat like this:
You can send a test email to make sure your configuration is working as expected before committing and waiting for the first report to appear.
I hope you found this article useful. Feel free to leave a comment below or check out other episodes in this series.