Rules check by logs with expedition

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Rules check by logs with expedition

Hello,

 

For one of our client , using PA 850 in cluster,

 

They have 8 zones for voip , printer , camera etc

 

And all the security policies are wide open.

 

Now we want to restrict the policy by looking at logs from each zone towars other.

 

Can we export logs from panorama to expedition to see or analyse it ? 

 

Or what is best approach to do reverse engineering and implement the specific rules between zones.

Highlighted
L2 Linker

Hi,

 

you can go with this filter so see respective logs.

 

Monitor > Logs > Traffic > ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )

 

You can export the output shown into an CSV file.

 

palo_logs.png

 

Based on this output normally a good approach, in my opinion, is:

 

- setup an application group with apps you want to allow (good apps)

- setup an application group with apps you do not want to allow (bad apps),

- set up a policy with "application" = application group good apps, set it do allow, enable logging at session end

- set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end

- set up a policy with "application" = any, set it to allow, enable logging at session end

 

Continually monitor this rules and fine tune your policy. In Policies > Name column > hover over policy name > triangle icon > log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.

 

Hope that helps.

Kind regards,
René
// If you like my answer force commit it.
Highlighted
L2 Linker

@Rene_Boehme  thanks .this is indeed a better approach.

 

I will see if expedition automates it 

Highlighted
L2 Linker

Good luck. Let us know if anything is missing.

Kind regards,
René
// If you like my answer force commit it.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!