Configure Log Forwarding
Configure a server profile for each external service that will receive log data.
You can use separate profiles to send each log type to a different server. To increase availability, define multiple servers in a single profile.
Create an Email server profile.
Configure an SNMP Trap server profile.
To enable the SNMP manager (trap server) to interpret firewall traps, you must load the Palo Alto Networks
into the SNMP manager and, if necessary, compile them. For details, refer to your SNMP management software documentation.
Configure a Syslog server profile.
If the syslog server requires client authentication, you must also
Create a certificate to secure syslog communication over SSL.
Create a log forwarding profile.
The profile defines the destinations for Traffic, Threat, and WildFire Submission logs. (Threat logs include URL Filtering and Data Filtering logs.)
Objects > Log Forwarding
to identify the profile. If you want the firewall to automatically assign the profile to new security rules and zones, enter
. If you don’t want a default profile, or you want to override an existing default profile, enter a
that will help you identify the profile when assigning it to security rules and zones.
If no log forwarding profile named
exists, the profile selection is set to
by default in new security rules (
field) and new security zones (
field), although you can change the selection.
Perform the following steps for each log type and each severity level or WildFire verdict:
check box if you want to aggregate firewall logs on Panorama. (You can then
configure Panorama to forward the logs
to external services.)
server profile you configured for this log type, and click
Assign the log forwarding profile to security rules.
To trigger log generation and forwarding, the rules require certain
according to log type:
Traffic logs—No security profile is necessary; the traffic only needs to match a specific security rule.
Threat logs—The traffic must match any security profile assigned to a security rule.
WildFire logs—The traffic must match a
WildFire Analysis profile
assigned to a security rule.
Perform the following steps for each rule that will trigger log forwarding:
Policies > Security
and click the rule.
tab and select the
profile you just created.
Group, and then select the security profiles or
required to trigger log generation and forwarding.
For Traffic logs, select one or both of the
Log At Session Start
Log At Session End
check boxes, and click
Configure the destinations for System, Config, HIP Match, and Correlation logs.
Device > Log Settings.
Perform the following steps for each log type. For System and Correlation logs, start by clicking the Severity level. For Config and HIP Match logs, start by editing the section.
check box if you want to aggregate System, Config, and HIP Match logs on Panorama. Optionally, you can then
configure Panorama to forward the logs
to the external services.
Panorama generates Correlation logs based on the firewall logs it receives, rather than aggregating Correlation logs from firewalls.
server profile you configured for this log type and click
(PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
Network > Interfaces > Ethernet
Interface Type, select
Default Gateway, and (for IPv4 only)
and specify the
Link Duplex, and
These fields default to
auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended
for any connection is
to save your changes.
Commit and verify your changes.
to complete the log forwarding configuration.
Verify the log destinations you configured are receiving firewall logs:
Panorama—If the firewall forwards logs to an M-Series appliance, you must
configure a Collector Group
before Panorama will receive the logs. You can then
verify log forwarding.
Email server—Verify that the specified recipients are receiving logs as email notifications.
Syslog server—Refer to the documentation for your syslog server to verify it is receiving logs as syslog messages.
Use an SNMP Manager to Explore MIBs and Objects
to verify it is receiving logs as SNMP traps.