I have everything configured to send syslog information from the palo alto to one of our syslog server. My issue is that none of the security policy IP ranges allows me to send the syslog information for a specific IP address that is going out to the internet at least that I can find. Any ideas would be appreciated
I'm not sure I understand the question.
syslog traffic will source from your mgmt interface and ip address.
Is your syslog server out the internet side of your Palo Alto then?
You would need a policy that permits your mgmt address out to untrust and probably a nat policy to the interface address for the traffic as well.
what I am saying is that I had no problem configuring syslog to a Linux server I have. The issue is that I want to track a specific IP address, so I want to collect the traffic from and internal IP address to the internet and I want to know if there is a way to be that granular. I have created my syslog forwarder and now I am going through the security policies and adding it as an action to forward the logs to my syslog server but I am getting a lot more information than I want. Instead of a rand of 136.155.x.0-136.155.x.254 I only want the information coming from 126.96.36.199 to the internet to captured and forwarded to the syslog server.
My 2 cents and i am pretty sure you would have done it, but to make sure:
please have a standalone syslog server, create a security policy that specifically works on the interested ip address and then forward it to syslog server.
with that you should only see the traffic generated by that particular ip.
Yes I had been thinking that very thing
I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?
thanks, if you put that above the rest of the traffic, it should not affect anything else, palo would simply see it as another acl,
you may,get a warning when commiting that the rules are shadowing, but it's fair to live with,
if your bottom rules have a broader ip range, like a subnet , and the above rule has just an ip, it should not show that warning.too.
let me know how it goes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!