Policy with "Log at Session Start" option - how to find it?

Reply
Highlighted
L4 Transporter

Policy with "Log at Session Start" option - how to find it?

Hello

I have about 100 polices on my device, some of them has "Log at Session Start" option enabled. Is it posisible to find it from the CLI ?

I have very little skills in CLI so please give me the whole CLI command.

I realised that my weekly reports are unusable because I have only data from last few days. How I can save some space on PA200 to get more logs than last 7 days?

With regards

SLawek

Tags (2)

Accepted Solutions
Highlighted
L4 Transporter

Hello,

Please use following filter in security rule page (on GUI).

(log-start eq 'yes')


You can change log storage allocation under device tab > setup > management tab > logging and reporting settings

please click edit button on the right upper corner.


Regards,

View solution in original post


All Replies
Highlighted
L5 Sessionator

Pre-requisite: Text-Editors like Notepad ++ or PSPad

Method:

Enable Logging for  CLI session from the Terminal Application eg Putty.


CLI Commands:

> set cli pager off

> set cli config-output-format set

> configure

# show rulebase security

Open  CLI session log and Find-All for the string "log-start yes"

Highlighted
L3 Networker

Our you could just export whole configuration to XML file and search it.

Considering log size - look at what you are logging. Some chatty protocols (example: DNS) are not always worth logging, think about updates (adobe-update, ms-update) and so on.

Look into ACC, sorting by sessions, at applications. Search for those that you are willing to "sacrifice", disable logging for them.

Highlighted
L4 Transporter

Hello,

Please use following filter in security rule page (on GUI).

(log-start eq 'yes')


You can change log storage allocation under device tab > setup > management tab > logging and reporting settings

please click edit button on the right upper corner.


Regards,

View solution in original post

Highlighted
L4 Transporter

Your solution is correct but EMR's solution is much simplier so points must go to EMR.

Thank you to all of you for your help.

With regards

SLawek

Highlighted
L3 Networker

emr - Is there any guide for Security Rules filters?

Highlighted
L4 Transporter

I don't know there is any document related to this filter, but I found this filter from PaloAlto API browser and debug for web browser.

You can access to API browser by typing in https://<IP address for MGT>/api/

For debug, you can access to https://<IP address for MGT>/debug

Regards,

Highlighted
L6 Presenter

I think you must be superadmin to gain access to the /debug page.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!