For one of our client , using PA 850 in cluster,
They have 8 zones for voip , printer , camera etc
And all the security policies are wide open.
Now we want to restrict the policy by looking at logs from each zone towars other.
Can we export logs from panorama to expedition to see or analyse it ?
Or what is best approach to do reverse engineering and implement the specific rules between zones.
you can go with this filter so see respective logs.
Monitor > Logs > Traffic > ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )
You can export the output shown into an CSV file.
Based on this output normally a good approach, in my opinion, is:
- setup an application group with apps you want to allow (good apps)
- setup an application group with apps you do not want to allow (bad apps),
- set up a policy with "application" = application group good apps, set it do allow, enable logging at session end
- set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end
- set up a policy with "application" = any, set it to allow, enable logging at session end
Continually monitor this rules and fine tune your policy. In Policies > Name column > hover over policy name > triangle icon > log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!