Palo Alto Firewalls: Creating Custom Reports
The UW Palo Alto firewalls are generating thousands of logs each day, providing information which can be used as a helpful insight into what is happening within our network. The trick is to substantiate this data so it can be used by the campus IT administrators to quickly identify and respond to security events.
This is where the reporting feature comes into play. By using query filters, you can filter to narrow the log view to display the logs for specific firewall nodes and virtual systems. For query filters see the KB on log management here: Firewall Log Viewing and Filtering
- Generating custom reports:
- To start, we will need a custom report for our area and the log types to better assist in identifying events helpful to our operations and security monitoring.
(In this example we will be viewing critical level vulnerability threats)
We will need to be logged into our firewall instance, follow this KB for access: Access your VSYS and brief on log viewing - Navigate to: Monitor > Manage Custom Reports and click "Add" at the bottom of the window.
- Once we've clicked Add, a custom Report window will display and we can begin building out our report.
- Name: Title of the report, standard format to use, department short code - Threat( or URL or name of logs being reported on)
- Description(Optional): Report description if not provided in the Name.
- Database: Panorama Threat Summary (or URL Summary or name of logs being reported on)
- Time Frame: Default on initial generation is last 15 minutes. In this example we will use Last Calendar Day.
- Sort By: Count(Or metric of your choosing).
- Group By: Threat/Content Name (Or metric of your choosing).
- "Scheduled" check box, check this if generating an automated report. (Mentioned later in this article.)
- Available and select Columns (Adjusts based on the database chosen).
*These will provide the data displayed in the report.
- Available and select Columns (Adjusts based on the database chosen).
- Threat/Content Name
- Source Address
- Destination Address
- Severity
- Virtual System Name
- Rule
- Action
- Count
- Query Builder:
- (Reference the KB listed at the top of the article for sample Query syntax or click the hyperlink at the right of the Query Builder).
- To filter down the report, so we're note seeing every single log in the selected database, we will use filtering provided by Palo Alto Queries.
- For this step we will need to know the following:
-
- The Firewall "node" we want to review on.
- The Virtual System "vsys" Number assigned to our department.
- The Security Zone name for the Untrusted/External networks.
- In this example we are filtering to view the Critical threat logs for WiscVPN off of the Datacenter firewall:
-
- (severity eq critical) and ( zone.src new TRANSIT- UNTRUST) and (device_name eq DataCenter- Primary) and ( vsys eq vsys1).
- Once finished we can test by clicking "Run Now", this will provide an understanding of what will be displayed in our report.
If there are any questions, or if you wish to have a quick consultation, please send your request to cybersecurity@cio.wisc.edu
- Automated, Emailed Reports:
- Once we are happy with the custom reports, rather than logging in and manually running the reports either daily or weekly, we are provided the option to have the reports sent via PDF in an email.
The first requirement is to have an email profile setup, this is only available to the global administrators.
Please open a ticket to get the recipient email created by emailing cybersecurity@cio.wisc.edu with the email address, department UDDS and department short code. - Enabling Custom Report Automation:
- Once we are happy with the custom reports, rather than logging in and manually running the reports either daily or weekly, we are provided the option to have the reports sent via PDF in an email.
- When creating an automated report, the first step is to setup our custom reports to run on a schedule.
- This is made possible by navigating to Monitor > Manage Custom Reports, opening our report to be automated and checking the box for "Scheduled".
- With the box checked, our Time Frame options change to Last: Calendar Day, 7 Days, 7 Calendar Days, Calendar Week, 30 Days, 30 Calendar Days or Calendar Month.
- Creating Report Groups:
-
For our reports to be emailed, they need to be grouped together into a Report Group PDF (even if we have only a single report). Navigate to Monitor > PDF Reports > Report Groups, Click Add.
The new report group properties window will pop-up, Name the report group with the standard format of Department Short code - Security Report Summary. Choose an optional Title Page for the report by checking the box and entering the Title for the report. We then need to find our custom reports in the selection in the left portion of the window and click Add >> (The reports are added top down based on order of selection and cannot be moved up or down in the report group). -
- Collapse the Predefined Report to view the Custom Report and the next list contains the Custom Reports.
- Click OK.
- Email Scheduler:
- The final step is to setup the report emailing.
- Navigate to Monitor > PDF Reports > Email Scheduler.
- Click Add to create the new Email Scheduler.
- Name: Daily(or Weekly) Dept. Short-code Security Summary.
- PDF Report or Report Group: Choose our PDF Report Group created in above step.
- Email Profile: Choose the Email Profile created from Ticket that's opened with cybersecurity.
- Recurrence: Disabled, Daily, Specific day of the week, Specific day of each month.
- Override Email Address(es): Specify email addresses that the report will be sent to RATHER than the Email Profile specified email address.
- If there are any questions, or if you wish to have a quick consultation, please send your request to cybersecurity@cio.wisc.edu