Palo Alto EDU 110: Monitoring and Reporting

Objectives:

Create an interactive, graphical summary of the applications with the ACC

Export policy rules, objects, and IPS signatures using the configuration table export

Create a predefined report to view traffic statistics for the previous day

Describe how log files are forwarded to an external source

Configure a Server Profile to forward logs to a syslog server

Filters

Local Filters

Applying a local filter allows interaction with a graph and customises the display so details can be seen and information can be accessed on a specific widget.

The local filter is persistent across reboots

Global Filters

A global filter allows the display to be limited and details the administrator wishes to see, removing unrelated information from the display.

An example is all events can be displayed related to a specfic user and application. The users IP address or username and application can be applied as global filter, and display only information regaridng the user and the application through all tabs and widgets on the ACC. Global filters are not persistent.

Global Filters can be applied in three ways:

  • Set a global filter from the table. Select an attribute from the table in any widget and apply the attribute as a global filter
  • Promote a local filter to a global filter. Allows you to take a local filter, which can be attribute in a single graph or table in a widget and apply that attribute globally. When the local filter is replicated to a global filter, the display is updated across all tabs on the ACC.
  • Define a global filter using th Global Filters pane on the ACC.

Session Browser

Selecting Monitor -> Session Browser alls the administrator to browse and filter sessions that are currently on the firewall

Configuration Table Export

Starting with Pan-OS 8.1, policy rules, objects, and IPS signatures from Panorama and firewalls can be exported to demonstrate regulatory compliance to external auditors, or conduct periodic reviews of firewall configuration and generate reports about firewalls policies.

Auditors no longer need direct access to firewalls to take screenshots, or use the XMI API to generate configuration reports.

Form the web interface, configuration data for policies, objects, network, and devices, plus panorama configurations, the exceptions in antivirus, antispyware, and vulnerability protection can be exported.

Configure table export works like a printout, and generated files can not be exported back into the firewall.

The data that is viewed on the web interface is exported into a CSV or PDF format.

Filters can be applied and matched with the report criteria, plus searching within PDF reports allows data to be found quicly.

Every time configuration data is exported, a system log is generated to record the event.

Types of Reports

Predefined Reports

Over 40 reports including Applications, Traffic, Threat and URL Filtering

Botnet Reports

Behavior-based mechanisms to identify potential infected hosts

Custom Reports

With the query builder

PDF Summary Reports

Aggregated reports

User or group-activity reports

Includes URL categories and browse-time calculations

Report groups

Compile reports into a single emailed PDF

User or Group Activity Reports

  1. Serlect Monitor -> PDF -> Reports -> User Activity Report
  2. Click Add and then enter a name for the report
  3. Create the report:
    1. For a User Activity report: Select User and enter the Username or IP address (IPv4 or IPv6) of the user who will be the subject of the report
    2. For a Group Activity report: Select Group and select the Group Name from which to retrieve user group information in the report
    3. For a Custom User or Group Activity report: Select Filter Builder and select the appropriate Connector, Atrribute, Operator, and Value for the report
  4. Select the time period for the report from the drop down list.
    1. It should be noted that the number of logs that are analysed in a user activity report is determined by the number of rows defined on the Max Rows in User Activity Report on the Logging and Reporting Settings section in Device -> Setup -> Management
  5. Select Include Detailed Browsing to include detailed URL logs in the report.
    1. The detailed browsing information can include a large volume of logs (thousands of logs) for the selected user or user group and can make the report very large
  6. To run the report on demand, click Run Now
  7. To save the report, click OK
    1. User/Group Activity reports cannot be saved on the firewall

PDF Summary Reports

PDF summary reports contain information compiled from existing reports based on the data for the top five in each category.

PDF summary reports also provide trend charts that are not available in other reports

Report Groups

Report groups enable a set of reports to be created that the firewall can compile and send as a single aggregate PDF report with an optional title page and all constituent reports included.

Exporting Current Listing to CSV

To export the current log listing to CSV, select the Export to CSV icon.

EXporting of the log listing to CSV format generates a CSV of up to 65,535 logs.

To change this number of limits, use the Max Row in CSV Export field on the Log Export and Reporting subtab. Select Device -> Setup -> Management -> Logging and Reporting Settings

Scheduled Log Export

A daily export of logs can besent to a FTP or SCP server in a CSV format.

Traffic, Threat, URL, Data Filtering, HIP Match, and WildFire logs can be exported.

After the first export, only logs collected since the last export will be sent in the next export.

The log file also includes logs of the last calendar day.

Forwarding Logs to External Sources

The firewall provides logs that record configuration changes, system events, security threats and traffic flows.

Logs can be forwarded to a Panorama management appliance, which can generate SNMP traps or syslog messages and send e-mail notifications.

The firewall can also forward logs using HTTP/HTTPS. This capability allows the firewall to integrate with external systems that provide a HTTP-based API and trigger automated actions when a specific event occurs on the firewall.

Logs most commonly are sent to Panorama or to an external syslog server for long-term storage and analysis.

Panorama provides the ability to manage a distributed network of Palo Alto Networks firewalls from a centalised location where the administrator can:

  • View of all the firewall traffic
  • Manage all aspects of device configuration
  • Push global policies
  • Generate reports about traffic patterns or security incidents

Panorama is available as a dedicated management appliance known as the M-100 or M-500, or as a virtual appliance.

If the M-100 is used as a log collector, it’s maximum storage is 7 terabytes.

The M-500 supports up to 24 terabytes

Cortex Data Lake

Cortex Data Lake provides cloud-based, centralised log storage and aggregation for on-premises, virtual, private cloud, and public cloud firewalls, plus Global Protect Cloud Service.

Panorama provides the interface for all logs stored in Cortex Data Lake.

From Panorama, an aggregated view of all logs can be observed, and reports, log analysis, and forensics can be generated from this logged data.

Cortex Data lake also provides isolation of data from other customers, avoiding cross-contamination of logged data.

Data redundancy is maintained through storage of multiple copies of the log datacase to ensure access when needed.

Current Cortex Data Lake facilities are in two regions, North America and Europe.

The location can be configured to where log data is forwarded.

Syslog Overview

Syslog is a standard log transport mechanism that enable aggregation of log data from different network devices such as routers, firewalls, and printers from different vendors into a central repository for archive, analysis, and reporting.

Syslog log forwarding can be used to forward logs to a system information and event manager.

Many SIEM vendors and models are compatible with PAN-OS software.

Syslog can be transported over UDP, TCP, or SSL with authentication.

SNMP Monitoring Overview

If the SNMP manager is on a non management, allow SNMP on the interface management profile for that interface and create a service route for SNMP to use that interface.

Creating an SNMP Traps Server Profile

SNMPv2:

Trap Repository Adress

Community String

SNMPv3:

Username

EngineID: (Get with the OID 1.3.6.1.6.3.10.2.1.1.0)

Passwords:

Auth uses SHA

Privlege uses AES

Leave a Reply

Your email address will not be published. Required fields are marked *