Palo Alto Networks Log Monitoring

🔍 Overview

Log monitoring on Palo Alto firewalls is critical for visibility, threat detection, and compliance. Logs include detailed information about traffic, system events, threats, and administrative actions. PAN-OS provides rich monitoring features locally, as well as integration with external monitoring platforms.

🗂️ Log Types

• Traffic Logs – Session details for allowed/denied traffic.
• Threat Logs – Malware, spyware, vulnerability, or DoS attempts.
• URL Filtering Logs – Web access logging with category verdicts.
• WildFire Submissions – Details of files submitted for analysis.
• Data Filtering Logs – DLP-related events.
• System Logs – Operational events, failures, admin actions.
• Config Logs – Audit trail of changes by administrators.
• Authentication Logs – User login attempts.
• HIP Match Logs – Device posture matches for GlobalProtect.
• Tunnel Inspection Logs – Logs for decrypted or tunneled sessions.
• Unified Logs – Aggregated view across log types.

🛠️ Log Forwarding Configuration

1. Create server profiles for Syslog, Email, SNMP, or HTTP:

   Device > Server Profiles > Syslog

2. Create a Log Forwarding profile under:

   Objects > Log Forwarding

   Define filters and associate with external server profiles.
3. Assign the profile to:
   • Security policies via Policies > Security > Actions
   • Zones via Network > Zones > Log Setting

💡 Best Practices

• Use Panorama for centralized log collection and forwarding.
• Filter logs by relevance to reduce load and storage.
• Configure Service Routes to send logs over interfaces other than management.
• Use TCP or TLS for reliable Syslog transport.
• Regularly back up logs and reports via SCP or external collectors.

📊 External Monitoring Integration

• Syslog Servers : Splunk, ArcSight, QRadar
• SNMP Managers : For alerts and traps
• Email Notifications : For admin alerts
• HTTP(S) : Trigger workflows like ticket creation in ServiceNow

📦 Sequence Diagram: Syslog Log Forwarding

sequenceDiagram
  participant Admin
  participant Firewall
  participant SyslogServer

  Admin->>Firewall: Configure Syslog Server Profile
  Admin->>Firewall: Create Log Forwarding Profile
  Admin->>Firewall: Assign Profile to Security Policy
  Firewall->>Firewall: Traffic Match → Log Generated
  Firewall->>SyslogServer: Forward Log via UDP/TCP/TLS
  SyslogServer-->>Firewall: ACK (if TCP/TLS)
  Note over SyslogServer: Log stored for correlation & analysis
  

🔗 Official Documentation References

• View and Manage Logs
• Configure Log Forwarding
• Configure Syslog Monitoring
• Panorama Log Forwarding
• Common Event Format (CEF) Guide