06-02-2015 11:45 AM
I have everything configured to send syslog information from the palo alto to one of our syslog server. My issue is that none of the security policy IP ranges allows me to send the syslog information for a specific IP address that is going out to the internet at least that I can find. Any ideas would be appreciated
06-02-2015 05:28 PM
I'm not sure I understand the question.
syslog traffic will source from your mgmt interface and ip address.
Is your syslog server out the internet side of your Palo Alto then?
You would need a policy that permits your mgmt address out to untrust and probably a nat policy to the interface address for the traffic as well.
06-03-2015 05:34 AM
what I am saying is that I had no problem configuring syslog to a Linux server I have. The issue is that I want to track a specific IP address, so I want to collect the traffic from and internal IP address to the internet and I want to know if there is a way to be that granular. I have created my syslog forwarder and now I am going through the security policies and adding it as an action to forward the logs to my syslog server but I am getting a lot more information than I want. Instead of a rand of 136.155.x.0-136.155.x.254 I only want the information coming from 136.155.0.64 to the internet to captured and forwarded to the syslog server.
06-03-2015 11:13 AM
No I am forwarding from the PA logs to an external log server
06-03-2015 11:35 AM
My 2 cents and i am pretty sure you would have done it, but to make sure:
please have a standalone syslog server, create a security policy that specifically works on the interested ip address and then forward it to syslog server.
with that you should only see the traffic generated by that particular ip.
Regards,
~Harry
06-03-2015 11:47 AM
Hi Harry
Yes I had been thinking that very thing
I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?
06-03-2015 12:27 PM
Hi,
thanks, if you put that above the rest of the traffic, it should not affect anything else, palo would simply see it as another acl,
you may,get a warning when commiting that the rules are shadowing, but it's fair to live with,
if your bottom rules have a broader ip range, like a subnet , and the above rule has just an ip, it should not show that warning.too.
let me know how it goes.
Regards,
~Harry
06-03-2015 12:32 PM
Have you ever know of anyone to try to be this granular in the collection of logs?
06-06-2015 06:11 AM
Typically we gather all the syslog data to the syslog server then use that server's reporting feature to pull out the information on the specific ip address across all systems that are logging, rather than only log for one ip address in traffic.
06-08-2015 05:47 AM
This is how my management has requested it be done so and how the our PA rep send it could be done so we are trying it
06-08-2015 03:26 PM
jprovine wrote:
Yes I had been thinking that very thing
I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?
You will need to be careful about shadowing rules with this approach. And you are correct that to only syslog for these particular addresses you will need to isolate them to their own rules. then the log portion of the rule will contain your syslog server but none of your other rules will contain this log forwarding profile.
If you create the rule too broadly you can give this user or segment more access than they should have so be careful with the rule construction.
the safest approach would be to clone every rule this address may match and make the first of the two rules only have this ip address as the source or destination with the rest of the rule the same.
06-09-2015 05:54 AM
I configured it and got it working with no shadowing and without compromising security
06-09-2015 02:22 PM
Glad to hear you have it all worked out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
.png "Satish"){kind=avatar}
