Rules check by logs with expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rules check by logs with expedition

L4 Transporter

Hello,

 

For one of our client , using PA 850 in cluster,

 

They have 8 zones for voip , printer , camera etc

 

And all the security policies are wide open.

 

Now we want to restrict the policy by looking at logs from each zone towars other.

 

Can we export logs from panorama to expedition to see or analyse it ? 

 

Or what is best approach to do reverse engineering and implement the specific rules between zones.

3 REPLIES 3

L2 Linker

Hi,

 

you can go with this filter so see respective logs.

 

Monitor > Logs > Traffic > ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )

 

You can export the output shown into an CSV file.

 

palo_logs.png

 

Based on this output normally a good approach, in my opinion, is:

 

- setup an application group with apps you want to allow (good apps)

- setup an application group with apps you do not want to allow (bad apps),

- set up a policy with "application" = application group good apps, set it do allow, enable logging at session end

- set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end

- set up a policy with "application" = any, set it to allow, enable logging at session end

 

Continually monitor this rules and fine tune your policy. In Policies > Name column > hover over policy name > triangle icon > log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.

 

Hope that helps.

Kind regards,
René
// If you like my answer force commit it.

@Rene_Boehme  thanks .this is indeed a better approach.

 

I will see if expedition automates it 

Good luck. Let us know if anything is missing.

Kind regards,
René
// If you like my answer force commit it.
  • 2106 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!