Real time alerts for threats?

Reply
Highlighted
L4 Transporter

Real time alerts for threats?

Is there such a thing with PAN?  IE if the logs generate a critical alert can is there some logic to fire an email or generate a report with the relevant information? 


Accepted Solutions
Highlighted
L2 Linker

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

View solution in original post

Highlighted
L2 Linker

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

View solution in original post


All Replies
Highlighted
L2 Linker

Yes.  It's found under Device Groups (in Panorama) under Objects > Log Forwarding.

Link here (PANOS 7.1 - it's the same in PANOS 8).

ThreatAlerts.png

 

 

 

View solution in original post

Highlighted
L4 Transporter

Thanks..but it won't let me put anything under Email eventhough I have email profiles configured under Panorama > Server Profiles > Email.  

 

 

pan-log-forward-noemail.JPG

 

 

 

 

 

Highlighted
L2 Linker

That's the Email Profile for your Panorama - not the firewalls for which it is managing policies.  Find a similar Email Server Profile under Templates > Device > Server Profiles > Email.

 

Note:  the Log forwarding is in a Device Group.  The Email Profile is in the Template.  Your targets for both need to match or you will get a commit failure.

View solution in original post

Highlighted
L4 Transporter

Targets need to match?  I don't follow. 

Highlighted
L2 Linker

The firewall target of your Device Group must also be in scope for the Template.  If you are using shared templates/device groups, just make sure the firewall that gets the Device Groups have templates that have an email profile with the same name.

 

Does that help?

Highlighted
L4 Transporter

Yeap!  Thanks for your help. 

 

One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

Highlighted
L2 Linker

In my experience, real time.  Including the caveats that come with that:  you may be turning on an email fire-hose if you set it to email on events that you see hundreds of each minute.  Caveat emptor.  The firewall is happy to melt your mail queue if you tell it to.

Highlighted
L4 Transporter

Expected, thanks for your help @JW6224

Highlighted
L2 Linker


@drewdown wrote:
One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule? 

 

Not per-rule.  It is a log forward.  When you go to the Monitor tab, you will see several logs (Traffic, URL, Threat, etc.)  It is forwarding those log entries as you direct in the forwarding rule, when the firewall records each log entry.  Does that make sense?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!