This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Real time alerts for threats?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Real time alerts for threats?

Go to solution
drewdown
L4 Transporter

‎11-01-2018 06:18 AM

Is there such a thing with PAN?  IE if the logs generate a critical alert can is there some logic to fire an email or generate a report with the relevant information? 

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
JW6224
L2 Linker

‎11-01-2018 06:35 AM

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

View solution in original post

0 Likes Likes

Go to solution
JW6224
L2 Linker
In response to drewdown

‎11-01-2018 06:53 AM

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
JW6224
L2 Linker

‎11-01-2018 06:35 AM

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

0 Likes Likes

Go to solution
drewdown
L4 Transporter
In response to JW6224

‎11-01-2018 06:48 AM - edited ‎11-01-2018 06:51 AM

Thanks..but it won't let me put anything under Email eventhough I have email profiles configured under Panorama > Server Profiles > Email.  

 

 

pan-log-forward-noemail.JPG

 

 

 

 

 

0 Likes Likes

Go to solution
JW6224
L2 Linker
In response to drewdown

‎11-01-2018 06:53 AM

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

0 Likes Likes

Go to solution
drewdown
L4 Transporter
In response to JW6224

‎11-01-2018 06:57 AM

Targets need to match?  I don't follow. 

0 Likes Likes

Go to solution
JW6224
L2 Linker
In response to drewdown

‎11-01-2018 06:59 AM

The firewall target of your Device Group must also be in scope for the Template.  If you are using shared templates/device groups, just make sure the firewall that gets the Device Groups have templates that have an email profile with the same name.

 

Does that help?

0 Likes Likes

Go to solution
drewdown
L4 Transporter
In response to JW6224

‎11-01-2018 07:00 AM - edited ‎11-01-2018 07:10 AM

Yeap!  Thanks for your help. 

 

One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

0 Likes Likes

Go to solution
JW6224
L2 Linker
In response to drewdown

‎11-01-2018 07:37 AM

In my experience, real time.  Including the caveats that come with that:  you may be turning on an email fire-hose if you set it to email on events that you see hundreds of each minute.  Caveat emptor.  The firewall is happy to melt your mail queue if you tell it to.

0 Likes Likes

Go to solution
drewdown
L4 Transporter
In response to JW6224

‎11-01-2018 08:31 AM

Expected, thanks for your help @JW6224

0 Likes Likes

Go to solution
JW6224
L2 Linker
In response to drewdown

‎11-01-2018 09:06 AM

@drewdown wrote:
One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

 

Not per-rule.  It is a log forward.  When you go to the Monitor tab, you will see several logs (Traffic, URL, Threat, etc.)  It is forwarding those log entries as you direct in the forwarding rule, when the firewall records each log entry.  Does that make sense?

0 Likes Likes

Go to solution
jsalmans
L4 Transporter

‎11-02-2018 07:19 AM

I actually tried to do this with Log Correlation on Panorama.  In theory it should work great, in practice (on 8.0.9) the filter builder, and possibly the resulting filters, in that part of the GUI doesn't seem to work correctly and also emails aren't always being sent upon a match.

 

The filter builder outputs slightly different syntax in some cases than what the rest of the system uses.  Even if it is the same filter result, I wasn't getting matches despite being able to use the same filter in the Threat Monitor and getting results.

 

This and some reporting are some areas I really hope improvements are made in some of the newer versions.  We have a team that deals with desktop issues and I'd love to be able to send correlated event information for a possible malware infection straight to their ticket queue via email so they can know to go take a look at it.

0 Likes Likes
  • 2 accepted solutions
  • 6014 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks