This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Rules check by logs with expedition

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rules check by logs with expedition

FWPalolearner
L4 Transporter

‎10-01-2020 12:30 AM

Hello,

 

For one of our client , using PA 850 in cluster,

 

They have 8 zones for voip , printer , camera etc

 

And all the security policies are wide open.

 

Now we want to restrict the policy by looking at logs from each zone towars other.

 

Can we export logs from panorama to expedition to see or analyse it ? 

 

Or what is best approach to do reverse engineering and implement the specific rules between zones.

0 Likes Likes
3 REPLIES 3

Rene_Boehme
L2 Linker

‎10-01-2020 03:47 AM - edited ‎10-01-2020 03:51 AM

Hi,

 

you can go with this filter so see respective logs.

 

Monitor > Logs > Traffic > ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )

 

You can export the output shown into an CSV file.

 

palo_logs.png

 

Based on this output normally a good approach, in my opinion, is:

 

- setup an application group with apps you want to allow (good apps)

- setup an application group with apps you do not want to allow (bad apps),

- set up a policy with "application" = application group good apps, set it do allow, enable logging at session end

- set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end

- set up a policy with "application" = any, set it to allow, enable logging at session end

 

Continually monitor this rules and fine tune your policy. In Policies > Name column > hover over policy name > triangle icon > log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.

 

Hope that helps.

Kind regards,
René
// If you like my answer force commit it.
0 Likes Likes

FWPalolearner
L4 Transporter
In response to Rene_Boehme

‎10-01-2020 05:29 AM

@Rene_Boehme  thanks .this is indeed a better approach.

 

I will see if expedition automates it 

0 Likes Likes

Rene_Boehme
L2 Linker
In response to FWPalolearner

‎10-01-2020 10:24 AM

Good luck. Let us know if anything is missing.

Kind regards,
René
// If you like my answer force commit it.
0 Likes Likes
  • 2399 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks