Report-based Logging Without Interfering With Policies

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L1 Bithead

Report-based Logging Without Interfering With Policies

Hi PANland, I'm back with another implementation question th

 

So PAN devices log when you tell them to, but for their reports feature it seems that with or without logs they will keep unmutable counters of very basic information that has to be parsed anyway to make it through the firewall (ie. application, source, etc.). Here’s my situation: I’m noticing a (possibly) high number of pings in the daily top applications report. However, when I click to see app scope information about pings for that day, the scope comes up blank in all categories.

 

My assumption is, that’s because no pings have been logged in that day (checking the traffic/threat logs), therefore there’s nothing for the system to grab besides counters that are inherently unrelated to one another. Is there any method available such that I can perhaps place a “lens” or policy of some sort to tell the device to log all instances of some basic rule. In this case it would be “application: ping”. I’m attempting to figure out a way to do it from policies alone without changing how our firewall already handles pings and without logging anything extra in the process. Now I'm not a dev nor do I have any clue how this puppy works outside of what the docs and CLI logs tell me, but I feel there's gotta be a simpler way.

 

Feel free to correct me in my PANjutsu path if I’m forgetting a feature that handles this specifically.


Accepted Solutions
Highlighted
L7 Applicator

Re: Report-based Logging Without Interfering With Policies

Take one of the ports on your firewall and turn it into a TAP port, and place it in a zone called TAP.  

 

Now, have your L2/L3 switch mirror one (or more) firewall interfaces and feed that back into the TAP port on the firewall.

 

When you want to log all instances of "ping", you can create a policy on your firewall that says "permit from TAP to TAP app=ping with logging enabled".

 

This comes at the cost of additional firewall CPU utilization, as the firewall will be forced to process the traffic twice.  

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Report-based Logging Without Interfering With Policies

Hi

 

in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged

 

here's a little article about this phenomenon: ACC Shows Different Results After Clearing Filters

 

if you want to have more custom tailored reports, please take a look at Getting Started: Custom reports on how to create your own custom reports that only give you the data you want to look at :)

reaper - PANgurus.com
I drink and I know things
Highlighted
L1 Bithead

Re: Report-based Logging Without Interfering With Policies

Right, that's in accordance with what I suspected.

 

My question and goal lies in this sentence exactly:

 


@reaper wrote:

in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged

 


This is the issue I'm trying to address, it's not that I want to clear out the counters, it's that I want to start logging because of the counters. I understand that you can just flip logging on to a bunch of policies, but ping is not exactly something handled exclusively by policies. Often the policy handles other apps as well. I don't want to log the other apps because that'll lead to quite an increase in average logging.

That's why I want to know if there's any plans for alternate methods for logging. Such as logging policies that don't affect blocking/allowing/alerting/dropping.

 

I'm also still all ears for anyone who can come up with something simpler than trying to come up with a "wrapping policy" that, for over 300 policies, will not be just a side project. Just to log all instances of ping for a period of time.

 

Because once the instances are logged, THEN I can see the reports that I need.

Highlighted
L7 Applicator

Re: Report-based Logging Without Interfering With Policies

that's tricky :)

 

besides actually having a security log that applies an action to a set of applications, you can't set a differentiator for logging (in a single security policy log ping nolog other stuff)

 

the only way around could be to set up a netflow server and create these logs externally, or create separate security policies for the applications you do want to log and the ones you don't want to log.

 

You can reach out to your Sales contact so they can create a feature request or have your vote added if this has already been requested.

 

reaper - PANgurus.com
I drink and I know things
Highlighted
L7 Applicator

Re: Report-based Logging Without Interfering With Policies

Take one of the ports on your firewall and turn it into a TAP port, and place it in a zone called TAP.  

 

Now, have your L2/L3 switch mirror one (or more) firewall interfaces and feed that back into the TAP port on the firewall.

 

When you want to log all instances of "ping", you can create a policy on your firewall that says "permit from TAP to TAP app=ping with logging enabled".

 

This comes at the cost of additional firewall CPU utilization, as the firewall will be forced to process the traffic twice.  

View solution in original post

Highlighted
L1 Bithead

Re: Report-based Logging Without Interfering With Policies

Hey guys,

 

Thanks for the advice and ideas! I'll put in a request to support to consider this in the future. I'll look into the TAP solution as a means for now (though you're right it will up computational costs) as that didn't even cross my mind.

 

Anyone reading this thread can feel free to continue the conversation as I'll be linking this in my support request.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!