Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward. There are several community articles and videos on the subject. Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.
https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951
https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143
You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like. Please be sure to include a query to match on the relevant security policy rules.
Here are the set commands from my example report:
set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"
And the XML:
reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}
