How to configure PAN-OS to email/alert me of potential attack?

Reply
Highlighted
L1 Bithead

How to configure PAN-OS to email/alert me of potential attack?

So, you would think this would be an easy thing to learn and configure, however I can't seem to find the answer from any PA walk through, or through PA support.  

 

I'm simply looking to configure my PA-3020 (PAN-9.0.0), so that if a new threat is detected in the threat list, that I will be notified via email. I have already setup PDF summary, but that is just a nightly overview, that does not help me if I wanted to know that my 3020 had recently detected a user login brute force attack threat, for example.

I spoke with a PA support rep, and he told me PAN-OS currently does not offer any kind of feature like that at this time, and suggested I look more into external monitor tools, like Prometheus.  I thought perhaps the support rep and I were not on the same page, and he/she might not have knows what I was looking for, so I'm asking you guys if you know how to configure it, or the next best option.

 

Unless I'm missing something, how do you guys monitor your your PA boxes? I mean, just keeping an eye on our PAN UI traffic does not seem like a realistic solution.

 

Thanks.

Highlighted
Cyber Elite

@AndrewPaloAlto,

So the representative that you talked to is right in a way, but also wrong. There's not something as easy as setting up a log setting filter, because the threat logs aren't cleared for that, but there are other ways to do so.

 

1. Log Forwarding Profiles

Easiest solution. You simply set the log forwarding profile to send any threat logs to your email address and assign said log forwarding profile to all of your rulebase entries. I would caution actually doing this in your email however; I would personally recommend that you have a filter like (severity geq medium) or (action neq alert) which would give you anything with a severity over medium, or anything that the firewall actually took action on. 

If you already have a Log Forwarding profile assigned to everything, simply update the profiles with a new new entry with the log type of threat and whatever filter you choose to use with the email method specified. 

 

2. Custom Reports + API

You can create a custom report which gives you all of the recently recorded threat logs, and then use the API to actually run the report and gather it once it's been complete and send yourself the output. Not hard if you have experience in the API and a scripting language like Python or Powershell, but isn't a pre-built solution.

 

Highlighted
Cyber Elite

@AndrewPaloAlto,

Also just to ensure that it's clear, I wouldn't actually advise you set this up without a filter specified. Your firewall will generate a lot of threat log entries just in basic operations, and you will quickly become alert fatigued. 

Highlighted
L1 Bithead

Hi @BPry , thank you for your help with this.  
I was wondering, based off your suggestion of log forwarding, do you know if Pan-OS has the capability to send syslogs to email, directly from Pan-OS?  Or would I need to setup a syslog server, that would receive the syslogs sent from Pan-OS, then the syslogs server email the syslogs to my email?  

Highlighted
Cyber Elite

@AndrewPaloAlto,

Kind of, if you simply add your email profile under Forward Method the same information present in the syslog alert will be sent to your email. It's formatted though so its actually readable, so if you try to actually feed that email through your syslog collector it might give you issues. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!