01-27-2016 11:16 AM
Hi PANland, I'm back with another implementation question th
So PAN devices log when you tell them to, but for their reports feature it seems that with or without logs they will keep unmutable counters of very basic information that has to be parsed anyway to make it through the firewall (ie. application, source, etc.). Here’s my situation: I’m noticing a (possibly) high number of pings in the daily top applications report. However, when I click to see app scope information about pings for that day, the scope comes up blank in all categories.
My assumption is, that’s because no pings have been logged in that day (checking the traffic/threat logs), therefore there’s nothing for the system to grab besides counters that are inherently unrelated to one another. Is there any method available such that I can perhaps place a “lens” or policy of some sort to tell the device to log all instances of some basic rule. In this case it would be “application: ping”. I’m attempting to figure out a way to do it from policies alone without changing how our firewall already handles pings and without logging anything extra in the process. Now I'm not a dev nor do I have any clue how this puppy works outside of what the docs and CLI logs tell me, but I feel there's gotta be a simpler way.
Feel free to correct me in my PANjutsu path if I’m forgetting a feature that handles this specifically.
01-29-2016 06:38 AM
Take one of the ports on your firewall and turn it into a TAP port, and place it in a zone called TAP.
Now, have your L2/L3 switch mirror one (or more) firewall interfaces and feed that back into the TAP port on the firewall.
When you want to log all instances of "ping", you can create a policy on your firewall that says "permit from TAP to TAP app=ping with logging enabled".
This comes at the cost of additional firewall CPU utilization, as the firewall will be forced to process the traffic twice.
01-28-2016 01:27 AM
Hi
in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged
here's a little article about this phenomenon: ACC Shows Different Results After Clearing Filters
if you want to have more custom tailored reports, please take a look at Getting Started: Custom reports on how to create your own custom reports that only give you the data you want to look at 🙂
01-28-2016 01:09 PM
Right, that's in accordance with what I suspected.
My question and goal lies in this sentence exactly:
@reaper wrote:
in the unfiltered ACC dashboard, you will actually get to see 'hardware' counters directly off the dataplane, once you drill down into a filtered view, you will access the log database and will only be presented with data that has been logged
This is the issue I'm trying to address, it's not that I want to clear out the counters, it's that I want to start logging because of the counters. I understand that you can just flip logging on to a bunch of policies, but ping is not exactly something handled exclusively by policies. Often the policy handles other apps as well. I don't want to log the other apps because that'll lead to quite an increase in average logging.
That's why I want to know if there's any plans for alternate methods for logging. Such as logging policies that don't affect blocking/allowing/alerting/dropping.
I'm also still all ears for anyone who can come up with something simpler than trying to come up with a "wrapping policy" that, for over 300 policies, will not be just a side project. Just to log all instances of ping for a period of time.
Because once the instances are logged, THEN I can see the reports that I need.
01-29-2016 12:59 AM
that's tricky 🙂
besides actually having a security log that applies an action to a set of applications, you can't set a differentiator for logging (in a single security policy log ping nolog other stuff)
the only way around could be to set up a netflow server and create these logs externally, or create separate security policies for the applications you do want to log and the ones you don't want to log.
You can reach out to your Sales contact so they can create a feature request or have your vote added if this has already been requested.
01-29-2016 06:38 AM
Take one of the ports on your firewall and turn it into a TAP port, and place it in a zone called TAP.
Now, have your L2/L3 switch mirror one (or more) firewall interfaces and feed that back into the TAP port on the firewall.
When you want to log all instances of "ping", you can create a policy on your firewall that says "permit from TAP to TAP app=ping with logging enabled".
This comes at the cost of additional firewall CPU utilization, as the firewall will be forced to process the traffic twice.
01-29-2016 06:42 AM
Hey guys,
Thanks for the advice and ideas! I'll put in a request to support to consider this in the future. I'll look into the TAP solution as a means for now (though you're right it will up computational costs) as that didn't even cross my mind.
Anyone reading this thread can feel free to continue the conversation as I'll be linking this in my support request.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
