Action-Oriented Log Forwarding using HTTP

To enable better integration between your firewall and IT infrastructure, you can now trigger an action or initiate a workflow on an external HTTP-based service when a log is generated on the firewall. Forward logs from the firewall or Panorama to an HTTP(S) destination to accomplish the following tasks more easily:
  • Send an HTTP-based API request directly to a third-party service to trigger an action based on the attributes in a firewall log. You can configure the firewall to work with any HTTP-based service that exposes an API, and modify the URL, HTTP header, parameters, and the payload in the HTTP request to meet your integration needs. This capability when used with the Selective Log Forwarding Based on Log Attributes allows you to forward logs that match a defined criteria so that you can automate a workflow or an action; you do not need to rely on an external system to convert syslog messages or SNMP traps to an HTTP request.
    PAN-OS 8.0, includes support for ServiceNow and VMware NSX. You can use the predefined format to send log data to ServiceNow to create an incident report and tag virtual machines using the VMware NSX Manager. Content updates will include updates to the predefined formats added in PAN-OS 8.0 and add new predefined formats to enable integration with other third-party services.
  • Tag the source or destination IP address in a log entry automatically and register the IP address and tag mapping to a User-ID agent on the firewall or Panorama, or to a remote User-ID agent so that you can respond to an event and dynamically enforce security policy. This capability extends the use for dynamic address groups that use tags as a filtering criteria to determine its members, so that you can apply security policy rules to an IP address based on tags that define its state or role on the network. For example, whenever the firewall generates a threat log, you can configure the firewall to tag the source IP address in the threat log with a specific tag name. You can then create a dynamic address group that matches on the tag name, and populates the members of the address group. And when you use this dynamic address group as a source or destination object in a policy rule, you can streamline security enforcement and limit these IP addresses from accessing network resources. Additionally, you can register the IP address and tag mappings with a User-ID agent that is configured to redistribute tags across your network infrastructure. This flow of information allows you to have better visibility, context, and control for consistently enforcing security policy irrespective of where the IP address moves across your network.
Configuration and system logs, do not support tagging because the source IP address and destination IP address attributes are not available in these log types.
  1. Create an HTTP server profile to forward logs to an HTTP(S) destination.
    The HTTP server profile allows you to specify how to access the server and define the format in which to forward logs to the HTTP(S) destination. By default, the firewall uses the management port to forward these logs.
    1. Select DeviceServer ProfilesHTTP, add a Name for the server profile, and select the Location. The profile can be Shared across all virtual systems or can belong to a specific virtual system.
    2. Click Add to provide the details for each server. Each profile can have a maximum of 4 servers.
    3. Enter a Name and IP Address.
    4. Select the Protocol (HTTP or HTTPS). The default Port is 80 or 443 respectively; you can modify the port number to match the port on which your HTTP server listens.
    5. Select the HTTP Method that the third-party service supports—PUT, POST (default), GET and DELETE.
    6. Enter the Username and Password for authenticating to the server, if needed. Click OK.
    http_server_profile.PNG
  2. Select Test Server Connection to verify network connectivity between the firewall and the HTTP(S) server.
  3. Configure the format for the data (payload) in the HTTP request.
    1. Select Payload Format, click the Log Type link for each log type for which you want to define the HTTP request format. For example, select the Threat log type.
    2. Select the Pre-defined Formats drop-down to view the formats available through content updates, or specify a custom format. Use the drop-down to select the attribute you want to include within the HTTP Header, Parameter and Value pairs, and the request payload. You can choose any attribute that selected log type supports.
    If you create a custom format, the URI is the resource endpoint on the HTTP service. The firewall appends the URI to the IP address you defined earlier to construct the URL for the HTTP request. Ensure that the URI and payload format matches the syntax that your third-party vendor requires.
    http_server_profile_nfg.png
  4. Trigger an action. For details, see Forward logs to an HTTP(S) Destination .
    • Define the match criteria for when the firewall will forward logs to the HTTP server, and attach the HTTP server profile to use. The match criteria allows you to specify the events (based on firewall logs) for which you want to forward logs or initiate an action on the HTTP server.
    • Register or unregister a tag on a source or destination IP address in a log entry to a remote User-ID agent.

Related Documentation