I am quite new to Palo Alto and I have some queries regarding the URL filter log retention, before we can generate user activty reports for browsed URLs for more than two weeks old, but now we can only see URL filter logs up to no more than 4 days.
What affects the log retention period and how can we generate a month old User Activity report for a specific user if logs are not present anymore.
@Ernest_James Traffic which matches your policy will definitely affect your device. If possible you might want to modify what you log and when as far as URL logs.
For one function my company uses a 3020 pair and we've got logs back before the 20th. So if you've got a specific requirement it might be worth reallocating storage capacity from one log type to another.
system: 4.00%, 3.356 GB
config: 4.00%, 3.356 GB
alarm: 3.00%, 2.517 GB
appstat: 6.00%, 5.034 GB
hip-reports: 1.00%, 0.839 GB
traffic: 32.00%, 26.850 GB
threat: 16.00%, 13.425 GB
trsum: 7.00%, 5.873 GB
hourlytrsum: 3.00%, 2.517 GB
dailytrsum: 1.00%, 0.839 GB
weeklytrsum: 1.00%, 0.839 GB
thsum: 2.00%, 1.678 GB
hourlythsum: 1.00%, 0.839 GB
dailythsum: 1.00%, 0.839 GB
weeklythsum: 1.00%, 0.839 GB
userid: 1.00%, 0.839 GB
application-pcaps: 1.00%, 0.839 GB
extpcap: 1.00%, 0.839 GB
debug-filter-pcaps: 1.00%, 0.839 GB
dlp-logs: 1.00%, 0.839 GB
hipmatch: 3.00%, 2.517 GB
I have checked the Reports>Traffic Reports>Security Rules and found out this:
Site A has log problems with 4 days worth of user activity logs, Site B which has 30G less than SiteA, can hold up to 3 months of user activity logs.
Please correct me if I am wrong, but Monitor>PDF Reports>User Avtivity Report should be basically text file logs arranged into PDF for better viewing, right? In my opinion, it should not take a lot of space to retain this logs.
Transfered bytes are irrelevant for logging. Log entries are generated per session so look at seesions counter values. A single http download session which transfer 3Gb means one log entry same as a DNS query for this site which transfers only few bytes.
Check the most used rules and see if you log some non relevant sessions like DNS and ICMP or boradcast traffic and similar.
That's possible. ACC got a major facelift in PAN-OS 7.0 and some features were added. Possibly pre-7.0 won't have it.
It will basically return the same output as seen in the Reports>Traffic Reports>Security Rules. As santonic already pointed out you need to check the number of sessions.
Even if it's been there always you can optimise it and turn off logging for non interesting traffic.
But to find the source of spike of events: PA FW saves these reports daily. I guess you have to check past reports, find out on which day there was a spike, which rule recorded it and (in the unlikely case you still have logs for that day) you can find out which traffic caused it. If you don't have logs you can check other automated reports and look for possible causes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!