Hello, I am new to Palo Alto... Which report will show what is being blocked? Do I create a Custom Report for that? I am really just interested in seeing what Palo Alto is blocking at this point. We just put it into service last Friday as strickly a Threat prevention/ anti-malware device for now and would like to show the boss - whom I had to convince to buy this - that we are blocking what we said we'd block.
Thanks in advance!
There are basic reports under the monitor tab that run every night around 2 to 4 AM.
You can also create custom reports and have them emailed to you daily.
I would look under the Threat Reports for what you are interested in.
You wanted to know how to log traffic that is denied. The default deny policy for zone to zone does not log those sessions that are denied by the default denies.
To log this traffic all you need to do is create an any to any default deny or create explicit zone to zone deny policies.
This policy must be place at the bottom of all your policies.
by default PAN firewalls don't log the traffic that is blocked by the implied block rule (remember that there is an implied block rule at the bottom of your security policy).
if you want to log "all the rest of the traffc" (ie. traffic that isn't blocked by an existing rule) then you would need to add an explicit block rule to log the blocks that are, by default, done as part of the implied rule.
a rule with the characteristics listed below could be placed at the bottom of your policy list and that would do the trick:
src zone: trust
dst zone: untrust
src address: any
src user: any
dest addr: any
action : deny
this should cause the PAN device to log all the dropped traffic so that you can demonstrate everything that is being blocked to your boss.
reports depend upon logs for their creation. You can see how the implied block rule (which doesn't create logs) would not create the log data that
biggest caveat with an explicit global block rule is that if you choose any/any for the src and dst zones you will cause some undesirable behavior. So make sure to explicitly choose zones on this type of rule. and test in a lab before you do anything in production =)
Rats - I knew I should have asked for a test box too. I got them to buy 2 HA pairs for production. Get this, my bosses boss, who was the biggest roadblock because Palo Alto doesn't have a Cisco sign above the door like IronPort does, topped the very first Spyware report on day one!
That's poetic justice.
Thanks all for the good answers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!