Palo Alto Firewall: Configuring Log Forwarding Profiles and Device Log Settings

This guide provides detailed steps to configure log forwarding profiles and device log settings on Palo Alto Networks firewalls, ensuring comprehensive log capture and forwarding to desired destinations.

1. Configuring Log Forwarding Profiles

Log Forwarding Profiles determine how different types of logs are forwarded to external services such as Panorama, syslog servers, SNMP managers, email servers, or HTTP endpoints.

1.1 Steps to Create a Log Forwarding Profile

Navigate to Objects > Log Forwarding .
Click Add to create a new profile.
Enter a Name for the profile.
Under Match List , add entries for each log type you wish to forward:
- Select the Log Type (e.g., traffic, threat, system).
- Optionally, define a Filter to specify which logs to forward.
- Choose the forwarding method(s): Panorama , Syslog , Email , SNMP , or HTTP .
Click OK to save the profile.

For detailed instructions, refer to the official documentation: Configure a Log Forwarding Profile (PAN-OS & Panorama) .

2. Configuring Device Log Settings

Device Log Settings control the forwarding of system-generated logs such as system, configuration, and authentication logs.

2.1 Steps to Configure Device Log Settings

Navigate to Device > Log Settings .
For each log type (e.g., System, Config, User-ID):
- Click the corresponding Edit icon.
- Select the desired Log Forwarding Profile .
- Click OK to save the settings.
Commit the configuration changes.

For more information, see: Device > Log Settings .

3. Considerations for Comprehensive Log Capture

Assign Log Forwarding Profiles to Security Policies: Ensure that each security policy rule has the appropriate log forwarding profile assigned under the Actions tab.
Configure All Relevant Log Types: Include all necessary log types (e.g., traffic, threat, system) in your log forwarding profiles to avoid missing critical information.
Verify Connectivity to Log Destinations: Ensure that the firewall can reach the configured external log servers and that appropriate service routes are defined.
Monitor Log Forwarding Status: Regularly check the status of log forwarding to confirm that logs are being successfully sent to the intended destinations.

4. Mermaid Sequence Diagram: Log Forwarding Process

sequenceDiagram participant User participant Firewall participant LogDestination User->>Firewall: Generates traffic Firewall->>Firewall: Applies security policies Firewall->>Firewall: Generates logs (traffic, threat, system) Firewall->>LogDestination: Forwards logs as per Log Forwarding Profile LogDestination-->>Firewall: Acknowledges receipt (if applicable)