📄 Palo Alto Networks Log Types and Severity Levels

1. Overview of Log Types

Palo Alto Networks firewalls generate various log types to monitor and analyze network activity. Each log type provides specific information:

• Traffic Logs: Details about network sessions, including source, destination, application, and action taken.
• Threat Logs: Information on detected threats like viruses, spyware, and vulnerabilities.
• URL Filtering Logs: Records of web browsing activities and URL categories accessed.
• WildFire Submissions Logs: Data on files submitted to WildFire for analysis and their verdicts.
• Data Filtering Logs: Alerts on data patterns matching predefined profiles, such as credit card numbers.
• Correlation Logs: Events identified through correlation of multiple logs indicating complex threats.
• Tunnel Inspection Logs: Information on inspected tunnel traffic, including VPNs.
• Config Logs: Records of configuration changes made on the firewall.
• System Logs: System-level events like interface status changes and HA failovers.
• HIP Match Logs: Host Information Profile matches from GlobalProtect clients.
• GlobalProtect Logs: Events related to GlobalProtect VPN connections.
• IP-Tag Logs: Logs of dynamic IP address tagging events.
• User-ID Logs: Information on user identification processes and mappings.
• Decryption Logs: Details on SSL/TLS decryption activities and issues.
• Alarms Logs: Alerts generated based on predefined thresholds.
• Authentication Logs: Records of authentication attempts and results.
• Unified Logs: Consolidated view of multiple log types for comprehensive analysis.

For more details, refer to the Log Types and Severity Levels documentation.

2. Severity Levels

Logs are categorized by severity to indicate the importance or impact of the event:

• Critical: Severe issues like hardware failures or HA failovers.
• High: Significant problems such as dropped connections with external devices.
• Medium: Moderate events like antivirus package updates.
• Low: Minor issues such as user password changes.
• Informational: General information like login events or configuration changes.

Detailed descriptions can be found in the System Logs documentation.

3. Accessing Logs via GUI

To view logs through the web interface:

1. Navigate to the Monitor tab.
2. Select the desired log type from the left-hand menu.
3. Use filters and search options to refine the displayed logs.

For more information, see the View Logs guide.

4. Accessing Logs via CLI

The Command Line Interface provides commands to view logs:

• show log traffic : Displays traffic logs.
• show log threat : Shows threat logs.
• show log system : Lists system logs.
• show log config : Presents configuration logs.
• tail follow yes mp-log <logfile> : Real-time monitoring of specific log files.

For a comprehensive list of CLI commands, refer to the CLI Cheat Sheet: HA .

5. Configuring Log Forwarding

To effectively monitor and analyze logs, it's essential to configure log forwarding to external servers such as Syslog, SNMP, or email. Here's how you can set up log forwarding in Palo Alto Networks firewalls:

1. Create a Server Profile:
   • Navigate to Device > Server Profiles and select the desired profile type (e.g., Syslog, Email, SNMP Trap).
   • Click Add to create a new profile, providing necessary details like server address, port, and protocol.
2. Define a Log Forwarding Profile:
   • Go to Objects > Log Forwarding and click Add .
   • Name the profile and specify which log types and severity levels to forward to the previously created server profile.
3. Apply the Log Forwarding Profile:
   • For traffic-related logs, navigate to Policies > Security , select the relevant policy rule, and under the Actions tab, assign the log forwarding profile.
   • For system, configuration, and other logs, go to Device > Log Settings and assign the log forwarding profile to the desired log types and severity levels.
4. Commit the Configuration:
   • After making the changes, click Commit to apply the new settings.

For a detailed guide on configuring log forwarding, refer to the Use Syslog for Monitoring documentation.