Real time alerts for threats?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Real time alerts for threats?

L4 Transporter

Is there such a thing with PAN?  IE if the logs generate a critical alert can is there some logic to fire an email or generate a report with the relevant information? 

2 accepted solutions

Accepted Solutions

L2 Linker

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

View solution in original post

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

View solution in original post

10 REPLIES 10

L2 Linker

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

Thanks..but it won't let me put anything under Email eventhough I have email profiles configured under Panorama > Server Profiles > Email.  

 

 

pan-log-forward-noemail.JPG

 

 

 

 

 

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

Targets need to match?  I don't follow. 

The firewall target of your Device Group must also be in scope for the Template.  If you are using shared templates/device groups, just make sure the firewall that gets the Device Groups have templates that have an email profile with the same name.

 

Does that help?

Yeap!  Thanks for your help. 

 

One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

In my experience, real time.  Including the caveats that come with that:  you may be turning on an email fire-hose if you set it to email on events that you see hundreds of each minute.  Caveat emptor.  The firewall is happy to melt your mail queue if you tell it to.

Expected, thanks for your help @JW6224


@drewdown wrote:
One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

 

Not per-rule.  It is a log forward.  When you go to the Monitor tab, you will see several logs (Traffic, URL, Threat, etc.)  It is forwarding those log entries as you direct in the forwarding rule, when the firewall records each log entry.  Does that make sense?

L4 Transporter

I actually tried to do this with Log Correlation on Panorama.  In theory it should work great, in practice (on 8.0.9) the filter builder, and possibly the resulting filters, in that part of the GUI doesn't seem to work correctly and also emails aren't always being sent upon a match.

 

The filter builder outputs slightly different syntax in some cases than what the rest of the system uses.  Even if it is the same filter result, I wasn't getting matches despite being able to use the same filter in the Threat Monitor and getting results.

 

This and some reporting are some areas I really hope improvements are made in some of the newer versions.  We have a team that deals with desktop issues and I'd love to be able to send correlated event information for a possible malware infection straight to their ticket queue via email so they can know to go take a look at it.

  • 2 accepted solutions
  • 5316 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!