I'm quite new to PAN so please excuse my ignorance.. So far I'm very impressed with the content analysis and the in depth reporting it gives me on a network.
One thing I really like is that I can drill down into a specific users web-browsing session and see exactly what file they've downloaded, however, I can not do the same with a simple FTP session. The log details show all the data except the file name, which is something that I really need to be able to look at.
Out new 2020 PAN's replaced our old WatchGuard units that had extremely poor reporting capabilities, however seeing the file content of a FTP session was something that it was able to do. So I would only expect something of PAN's abilities, that it too can report the same info.
Our Firewall is setup pretty tight, however the only application that is fairly open is our FTP rule (much to my disgust) as we have a lot of employe's that need to upload data to distributors and suppliers. Furthermore, also all of our store updates and daily sales files are transfers between stores and Head Office through the FTP protocol, so our weekly FTP data throughput is anywhere between 12-16GB.
I know most of the users that need/should be using the FTP protocol, however, I would like to be able to inspect a users FTP session, if I feel that A.) The a users shouldn't really be using FTP or B:) If I see a users FTP session is larger then what they should be sending.
So basically I need to see if a users is sending files or data out through FTP that they shouldn't.
So my question is, is this possible??
Sorry for my long winded explanation/request and thanks in advance for you time.
You can do this with a "File Blocking" profile. You won't really be blocking files - you'll just be logging the files that pass through the FTP protocol.
To do this, go to the Firewall GUI, and navigate to Objects / Security Profiles / File Blocking
"Add" a new File Blocking Profile and call it "File Logging". Add one line in this profile that says "any" application, "any" file type, "both" Direction, with an action of "alert".
Now, go to Policies / Security, and edit the firewall rule(s) that allow FTP in/out of your network. Go to the Actions tab for that rule, and under "Profile Setting", select Profile, and under File Blocking, use "File Logging". Commit the change.
Now you can go to the Monitor tab, Logs / Data Filtering, and see a list of File Names, along with the File Type (PDF, ZIP, EXE, etc.). Note: this will only log file names for the file types that PAN-OS is able to detect. If you're wondering what types of files this includes, you can go back to the Objects / Security Profiles / File Blocking, edit your "File Logging" profile, and under "file type", add a file type and scroll through the list. (Just be sure to change this back to "any" before you leave the screen).
You can attach this File Blocking (Logging) profile to all of your rules and get similar capabilities for SMTP, HTTP, etc. It doesn't have to be limited just to FTP traffic.
Thanks for your response.. I have setup the File blocking rules and applied it to our FTP-OUT rule.. However its not showing the file content in the FTP session for all sessions.
Whereby, I opened a FTP session to our website. I then copied 3 PDF files to FTP servers (1x35kb/1x800kb/1x900kb) Now I can see the PDF file name in the session for the 35kb file however the Log Detail for the other 2 files show up as empty still.
Furthermore, is there also no other way at all that would allow me to see files that aren't in the 'File Type' section, as basically if I can get this rule to work, then I still have the issue that if someone renames a file to *.sfd or some other strange file extension then the PAN still wont be able to record it..
Its just strange that for something that records so much detail that its unable to log something as simple of filename sent within a session. I mean the crappy old WatchGaurd that we had was able to do it without an issue.
I'm not sure why you're not seeing the other files sent as part of that session. It's my understanding that they would show up. I'd open a case with TAC and see what they say.
In the Data Filtering Log, the "file name" section is whatever the user names the file. However, the "File" section of the log is what the Palo Alto Networks firewall detects as the type of file. ie: If you take that PDF file and rename it filename.fdp, the log should show "filename.fdp" and then identify it as an "Adobe Portal Document Format (PDF)" file. So, your users shouldn't be able to "trick" the firewall by renaming the extension. It should still detect the type of file, provided that Palo Alto Networks has that file type identifier. If there's a type of file that you need specific coverage for, you'll need to open a case with TAC or request it through your local Palo Alto Networks SE.
Had a chance to play with this last night. Looks like you're hitting the "log suppression" feature. If you look at the Log Detail (magnifying glass icon) for the logged PDF file in your data filtering log, you'll see "repeat count" is probably "3", one for each file. That would mean there were multiple PDF files that were transferred. If you want/need to see file names for all 3 of them, then you need to disable the log suppression feature:
Entering configuration mode
admin@firewall(active)# set deviceconfig setting logging log-suppression no
Configuration committed successfully
Try the FTP transfer again and you should see all of the file names. Keep in mind that the log suppression feature was put there for a reason and will likely increase the management plane utilization on your firewall - so keep an eye on it after you make the change.
Thanks so much for your input into this.. I'll try make the change you suggested in the morning when Im back at the office and let you know what sort of load it puts in the management plane and if it shows up all the files transferred in a session..
I'll update once its done..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!