Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
Make more sense using filtered log forwarding
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- Collaboration
- Blogs
- Make more sense using filtered log forwarding
kiwi
Community Team Member
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report This Content
03-07-2017
06:17 AM
Log forwarding has been around on our firewalls since forever. However, the feature had its limitations.
Problem before PAN-OS 8.0:
- Customers want to forward particular logs to start a troubleshooting or incident response across variety of teams
- However, prior to PAN-OS 8.0 users are required to choose a collection of logs by severity and/or type rather than the set of logs they are interested in
- Existing log forwarding behavior results in a flood of unwanted logs that you still have to filter through manually
Solution in PAN-OS 8.0:
- This feature will expand the log filtering from the granularity of severity to the granularity of a user-defined filter for log forwarding purposes.
- Users can now forward selective logs based on a custom-defined filter for a given log type.
- Log forwarding profiles now have filters that are similar to the monitor tab.
- These updated log forwarding profiles will be attached to rules/zones in the same way as we use current log forwarding profiles.
Log forwarding profiles are re-designed to accommodate log filtering. Users can now create match lists in the log forwarding profile.
All the forwarding actions mentioned in the match list will be taken against that particular traffic log. A traffic log can match more than one match list, forwarding actions mentioned in all the matching lists will be taken. New match criteria can be added to the forwarding profile with “Add” option. Here in this example, two match lists are configured:
Log Forwarding Profile Match List allows for the creation of custom filters as shown here:
By default, the firewall forwards ALL logs of the selected Log Type. To forward a subset of the logs, select an existing filter from the drop-down or select 'Filter Builder' to add a new filter to select interesting logs to be forwarded. These filters are similar to the existing filters that we already have in the monitor tab:
Use the ‘View Filtered Logs’ tab to verify which logs exactly will be forwarded.
It can be challenging to create your own filter but you can work backwards and have the firewall create a filter for you. Without a configured filter you can goto the 'View Filtered Logs' view and you will have an unfiltered view. From here you can make any selection from the displayed logs and the firewall will create a filter for you in response to that. Notice how the firewall creates a filter for me when I make any selection in the 'View Filtered Logs' tab.
Click the 'Apply Filter' button to see exactly what will be forwarded :
Click OK and all that remains to be done is select your Forward method. Once you do that you can click the OK button and you can confirm if the Log Forwarding Profile looks fine and you can click the OK button once more.
With this your log forwarding profile is created.
Similarly you have the log settings feature on the device tab. Here you can configure system logs, config logs, UserID, Correlation and HIP match logs (User-ID and Correlation are new in PAN-OS 8.0). The same granularity was added in all of these logs:
As an example check out the 'Log Settings - Configuration' below, where I configured a forwarding option for the filter ( admin neq admin )
Notice in the example above that I've set my forwarding option to Panorama. If you are happy with this you can go ahead and click OK and commit the change.
With this new feature, a flood of unwanted logs will soon be a thing of the past!
As always, feel free to add comments to the comments section below or reach out to us in the Live Community Discussions Forum.
Cheers!
-Kim.
Labels:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Labels
-
10.0
1 -
2 factor authentication
1 -
2020
1 -
2fa
1 -
30DaysCloud
7 -
5G
6 -
7000
2 -
7000 series
1 -
ACC
2 -
addressgroups
1 -
administration
1 -
Adobe Acrobat
1 -
Alibaba
1 -
Alibaba Cloud
1 -
AMA
3 -
Analytics
4 -
Announcement
1 -
Aperture
3 -
API
2 -
App-ID
13 -
App-Portal
1 -
application
1 -
Application Framework
4 -
Application Override
1 -
applications
2 -
apps
1 -
Ask Me Anything
3 -
Authentication
2 -
Authentication Sequence
1 -
AutoFocus
9 -
Autonomous
2 -
Autonomous DEM
2 -
Autonomous Digital Experience Management
1 -
AWS
9 -
Azure
7 -
Beacon
5 -
Best Practice Assessment
2 -
Best Practices
4 -
Books
1 -
BPA
5 -
Canon
1 -
Case Creation
4 -
case management
1 -
Cases
1 -
categories
2 -
certificate
1 -
Certificates
2 -
Certification
2 -
Certifications
3 -
Certifications & Exams
3 -
CLI
1 -
Cloud
36 -
Cloud Identity Engine
1 -
cloud managed prisma access
1 -
Cloud Security
4 -
cloud service
3 -
Cloud Services Portal
3 -
cloudgenix
3 -
CloudSecured
1 -
CN-Series
8 -
Community
94 -
Community Experience Refresh
1 -
Community Guidance
1 -
Community News
2 -
Compatibility
1 -
Compatibility View
1 -
Configuration
13 -
Configuration and Management
4 -
Container
1 -
cortex
18 -
Cortex Data Lake
10 -
Cortex XDR
32 -
Cortex XDR 2.0 Features
2 -
Cortex XDR 2.2 Features
1 -
Cortex XDR 2.3
1 -
Cortex XDR 2.4 Features
1 -
Cortex XDR 2.5 Features
1 -
Cortex XDR 2.6 Features
1 -
Cortex XDR 2.7 Features
1 -
Cortex XDR 2.9 Features
1 -
Cortex XDR 7.4 Features
1 -
Cortex XDR Agent
2 -
Cortex XDR Agent 7.3 features
1 -
Cortex XDR Features
1 -
Cortex XDR Management
1 -
Cortex XSOAR
11 -
COVID-19
2 -
credits
1 -
csp
11 -
CSP outage
1 -
Custom Signatures
1 -
Customer Experience
2 -
Customer Help
2 -
Customer Success
13 -
Customer Support Portal
4 -
Customer Support Resources
1 -
CX Day
1 -
CXDay2020
1 -
cyber elite
6 -
Cyber Elite Program
6 -
cyberelite
6 -
cybersecurity
8 -
Cybersecurity Academy
1 -
Data Center
1 -
data lake
1 -
Data Loss Prevention
3 -
Data Loss Prevention 7000
1 -
data pattern
1 -
Data Security
1 -
dataplane
1 -
Debug
4 -
Decryption
3 -
Dependency
1 -
Deployment
1 -
Detection and Response
1 -
dev_ops
1 -
Developers
1 -
DLP
3 -
dns
4 -
DNS Security
7 -
dotw
3 -
Download
1 -
EDL
3 -
edu
1 -
EDU-114
1 -
Education
15 -
Education Services
4 -
ela
1 -
Endpoint
5 -
Endpoint Security Manager (ESM)
2 -
Enterprise
1 -
events
44 -
Exams
1 -
Expedition
3 -
Expert Program
1 -
feature request
1 -
FeatureRequest
2 -
Features
3 -
Filtering
1 -
Firewall
97 -
Firewall Essentials
1 -
fuel
6 -
Fuel User Group
11 -
Fundamentals
1 -
gateway
1 -
gateway selection
1 -
gcp
2 -
Global
1 -
GlobalProtect
38 -
GlobalProtect 5.0
3 -
GlobalProtect App
1 -
GlobalProtect Cloud Service
2 -
GlobalProtect HIP check
1 -
GlobalProtect-COVID19
24 -
GlobalProtect-Resources
19 -
Google Chrome extension
1 -
google cloud platform
1 -
GP
2 -
GPCS
1 -
Grateful
1 -
Grayware
2 -
Guidance and Guidelines
2 -
ha
1 -
Happy Holidays
1 -
Hardware
1 -
High Availability
1 -
HIP
1 -
HIP Check
1 -
How to
1 -
HTTP
1 -
hub
6 -
Hybrid Cloud
3 -
Hyper Scale
1 -
ICS
1 -
ignite
2 -
Ignite conference
2 -
ignite2019
3 -
Ignite2020
8 -
IGNITEQ&A
1 -
Interactive Event
2 -
Interactive Events
1 -
IoMT
1 -
IoT
5 -
IoT Security
6 -
IPSec
1 -
IPv6
1 -
Iron Skillet
1 -
IronSkillet
1 -
Kubernetes
3 -
LatinxHeritage
1 -
LatinxHeritageMonth
4 -
Learning
1 -
Learning Center
1 -
license
1 -
License Keys
1 -
licenses
2 -
live community
3 -
Live Community Help
2 -
livecommunity
8 -
log forwarding
4 -
Logging
5 -
logging service
3 -
logging_services
1 -
login
1 -
Logs
2 -
Mac OS X
1 -
machine learning
5 -
MacOS
2 -
Magnifier
1 -
malware
3 -
Management
26 -
Management & Administration
1 -
mapping
2 -
MFA
3 -
microsoft 365
1 -
Migration
1 -
Migration Tool
2 -
ML-Powered NGFW
4 -
Monthly Release
1 -
multi factor authentication
1 -
Multi-Category URL Filtering
2 -
Network
1 -
Network Perimeter
1 -
Networking
1 -
New Features
2 -
Next-Generation Firewall
5 -
Next-Generation Firewall. NGFW
2 -
Next-Generation Firewalls
1 -
NGFW
9 -
notifications
1 -
NSX
1 -
OCI
1 -
office 365
1 -
Oracle Cloud
1 -
PA Firewall
1 -
PA-220R
1 -
PA-7000 Series Firewall
1 -
Palo Alto Networks
1 -
PAN-OS
31 -
PAN-OS 10.0
2 -
PAN-OS 9.0
5 -
PAN-OS 9.1
1 -
Panorama
19 -
panorama_csr
1 -
PANOS-9.0
2 -
Parked
1 -
PCCET
2 -
PCCSA
3 -
PCNSA
4 -
PCNSE
9 -
Phishing
1 -
plugin
2 -
policies
1 -
Policy
1 -
Pre-Logon
1 -
prisma
13 -
Prisma Access
31 -
Prisma Access 2.0
1 -
prisma access app
1 -
Prisma Access Cloud Management
2 -
prisma access insights
2 -
Prisma Cloud
9 -
Prisma Coud
1 -
Prisma SaaS
5 -
Prisma SD-WAN
6 -
PrismaAccess
2 -
PrismaAccess-COVID19
12 -
prismaaccessinsights
2 -
Privacy Data Sheets
1 -
Private Cloud
1 -
Professional Services
1 -
Proxy Avoidance
2 -
Public Cloud
2 -
Questionable
1 -
Quickplay Solutions
1 -
Release Notes
2 -
Release-Notes
3 -
Remote location
1 -
Remote Networks
2 -
Reports
2 -
Resources
2 -
RSA
1 -
SaaS
3 -
SaaS Security
2 -
SAML
2 -
SASE
2 -
SCADA
1 -
SD-WAN
6 -
Second Watch
1 -
Secure Input
1 -
secureinput
1 -
Security
4 -
Security Advisory
1 -
Security Policy
5 -
Services
1 -
session
1 -
Setup
1 -
Skillets
1 -
Smart NIC
1 -
smb
1 -
SNMP Monitoring
1 -
Social Media
1 -
Software
1 -
SolarStorm
1 -
SolarWinds
1 -
Spark User Summit Event
1 -
SSL Decryption
4 -
SSL Forward Proxy
1 -
strata
5 -
SUNBURST
1 -
Support
21 -
Support Guidance
1 -
support portal
1 -
Symphony
1 -
Thankful 2020
1 -
Thanksgiving
1 -
Threat
28 -
Threat Intelligence Management
1 -
Threat Management
3 -
threat prevention
3 -
threat protection
1 -
Threats
1 -
Tips & Tricks
4 -
TMS
4 -
Tools
3 -
training
1 -
Traps
8 -
Traps Agent
8 -
Traps Management Service
4 -
Troubleshooting
4 -
Tutorial
10 -
unit 42
17 -
unit42
4 -
upgrade
2 -
URL Filtering
8 -
User-ID
4 -
users
1 -
Veteran Training
3 -
Veterans Day
1 -
Video
7 -
Videos
3 -
VIP
1 -
Virtualization
6 -
VM-Series
35 -
VPN
2 -
Vulnerability
11 -
Vulnerability Protection
1 -
webcast
1 -
Webinar
6 -
WildFire
8 -
Women's Equality Day
1 -
XDR
1 -
Year in Review
1 -
YouTube
3 -
Zero Trust
3 -
Zero Trust Network Security
2 -
ZTP
1
- Previous
- Next
Related Content
- collector group with redundancy not working properly in General Topics
- How to set up an outbound VPC proxy with domain whitelisting and content filtering on AWS in VM-Series in the Public Cloud
- Question about multiple filters in a User-ID Syslog Parser in General Topics
- IoT Security Update May 2021 in Blogs
- Firewall forwarding log to Private IP of Panorama --- failing - (AWS - VM series) in VM-Series in the Public Cloud
Top Liked Posts
| Subject | Likes |
|---|---|
| 2 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like |
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
