Making Sense of Filtered Log Forwarding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

filtered-log-forwarding.jpg

 

Log forwarding has been part of firewalls since, well, the beginning of firewalls. The sheer amount of logging can be intimidating and some challenges can occur.  For example, how can I forward a particular set of logs to start troubleshooting across a variety of teams? Do you have time to filter through your flood of unwanted logs manually to filter out what you need exactly? No one has time for all that.

 

Using PAN-OS log filtering features you can:

 

  • Expand the log filtering from the granularity of severity to the granularity of a user-defined filter for log forwarding purposes
  • Forward selective logs based on a custom-defined filter for a given log type
  • Apply filters in a similar fashion as you would on the monitor tab
  • Attach profiles to rules/zones

 

Log forwarding profiles are designed to accommodate log filtering. Users can create match lists in the log forwarding profile.

 

All the forwarding actions mentioned in the match list will be taken against that particular traffic log. A traffic log can match more than one match list, forwarding actions mentioned in all the matching lists will be taken. New match criteria can be added to the forwarding profile with “Add” option. In the example below, two match lists are configured:

 

Log Forwarding ProfileLog Forwarding Profile

 

Log Forwarding Profile Match List allows for the creation of custom filters as shown here:

 

Filter BuilderFilter Builder

 

By default, the firewall forwards ALL logs of the selected Log Type. To forward a subset of the logs, select an existing filter from the drop-down or select 'Filter Builder' to add a new filter to select interesting logs to be forwarded. These filters are similar to the filters that you can use on the monitor tab:

 

Create Filter Using the Filter BuilderCreate Filter Using the Filter Builder

 

You can check the ‘View Filtered Logs’ tab to verify which logs exactly will be forwarded.

 

It can be challenging to create your own filter, but you can work backwards and have the firewall create a filter for you. Without a configured filter you can go to the 'View Filtered Logs' view and you will have an unfiltered view. From here you can make any selection from the displayed logs and the firewall will create a filter for you in response to that. Notice how the firewall creates a filter for me when I make any selection in the 'View Filtered Logs' tab.

 

Filter CreationFilter Creation

 

Click the 'Apply Filter' button to see exactly which logs exactly will be forwarded:

 

Apply FilterApply Filter

 

Click OK and all that remains to be done is select your Forward method (Panorama in this example) and name it (MITM Vulnerability), for example. Once you do that you can click the OK button and you can confirm if the Log Forwarding Profile looks fine and you can click the OK button once more.

 

Log Forwarding ProfileLog Forwarding Profile

 

With this your log forwarding profile is created.

 

Similarly, you have the log settings feature on the device tab. You can configure system logs, config logs, UserID, GlobalProtect and HIP match logs. The same granularity was added in all of these logs:

 

Device > Log SettingsDevice > Log Settings

 

 

As an example check out the 'Log Settings - Configuration' below, where I configured a forwarding option for the filter (admin eq kiwi):

 

Log Settings - ConfigurationLog Settings - Configuration

 

Notice in the example above that I've set my forwarding option to Panorama. If you are happy with this you can go ahead and click OK and commit the change.

 

With this new feature, a flood of unwanted logs will soon be a thing of the past!

 

How have you implemented filtered log forwarding?

 

Feel free to share your questions, comments and ideas in the section below.

 

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

 
  • 7159 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Labels