Policy with "Log at Session Start" option - how to find it?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy with "Log at Session Start" option - how to find it?

L4 Transporter

Hello

I have about 100 polices on my device, some of them has "Log at Session Start" option enabled. Is it posisible to find it from the CLI ?

I have very little skills in CLI so please give me the whole CLI command.

I realised that my weekly reports are unusable because I have only data from last few days. How I can save some space on PA200 to get more logs than last 7 days?

With regards

SLawek

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello,

Please use following filter in security rule page (on GUI).

(log-start eq 'yes')


You can change log storage allocation under device tab > setup > management tab > logging and reporting settings

please click edit button on the right upper corner.


Regards,

View solution in original post

7 REPLIES 7

L5 Sessionator

Pre-requisite: Text-Editors like Notepad ++ or PSPad

Method:

Enable Logging for  CLI session from the Terminal Application eg Putty.


CLI Commands:

> set cli pager off

> set cli config-output-format set

> configure

# show rulebase security

Open  CLI session log and Find-All for the string "log-start yes"

Our you could just export whole configuration to XML file and search it.

Considering log size - look at what you are logging. Some chatty protocols (example: DNS) are not always worth logging, think about updates (adobe-update, ms-update) and so on.

Look into ACC, sorting by sessions, at applications. Search for those that you are willing to "sacrifice", disable logging for them.

L5 Sessionator

Hello,

Please use following filter in security rule page (on GUI).

(log-start eq 'yes')


You can change log storage allocation under device tab > setup > management tab > logging and reporting settings

please click edit button on the right upper corner.


Regards,

Your solution is correct but EMR's solution is much simplier so points must go to EMR.

Thank you to all of you for your help.

With regards

SLawek

emr - Is there any guide for Security Rules filters?

I don't know there is any document related to this filter, but I found this filter from PaloAlto API browser and debug for web browser.

You can access to API browser by typing in https://<IP address for MGT>/api/

For debug, you can access to https://<IP address for MGT>/debug

Regards,

I think you must be superadmin to gain access to the /debug page.

  • 1 accepted solution
  • 7127 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!