How-to for searching logs in Palo Alto to quickly identify threats and traffic filtering on your firewall vsys.
On any given day, a firewall admin may be requested to investigate a connectivity issue or a reported vulnerability. The first place to look when the firewall is suspected is in the logs. This document is intended to help with negotiating the different log views and the Palo Alto Networks specific filtering expressions.
Note:The firewall displays only logs you have permission to see.
- The window shown when first logging into the administrative web UI is the Dashboard. The web UI Dashboard consists of a customizable set of widgets. A widget is a tool that displays information in a pane on the Dashboard. The PAN-OS ® software includes more than a dozen built-in widgets, and you decide which ones to display on your Dashboard.
- The ACC tab "Application Command Center" is a single-pane look that provides an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. With tabs for viewing activity for Network, Threat, Blocked and Tunnel activity.
- This can provide a quick glimpse into the events of a given time frame for a reported incident. Simply choose the desired selection from the Time drop-down.
- When you have identified an item of interest, simply hover over the object and click the arrow to add to the global filter. This forces all other widgets to view data on this specific object.
- Monitor aka "Logs"
- The Monitor tab holds all of the logs for your firewall, reports on the logs, and other monitoring features provided by Palo Alto Networks. Starting with PAN OS ® version 8.0, the "Unified" log view was provided for Firewall Admins to view & filter logs for all features, in addition to the individual log views. The threat log view displays logs for Vulnerability Protection, Anti-Virus, and Anti-spyware security profiles.
- The columns are adjustable, and by default not all columns are displayed. To better sort through our logs, hover over any column and reference the below image to add your missing column.
- Helpful tip: Once you've identified a suspicious entry, clicking it will add it to the filter. To build out your own query move to the next section "Log Filter Syntax Reference".
Additional Resource:Palo Alto Log Types
- Log Filter Syntax Reference
- Source or Destination address = (addr.src in x.x.x.x) or (addr.dst in x.x.x.x)
- Traffic for a specific security policy rule = (rule eq 'Rule name')
- Traffic log filter sample for outbound web-browsing traffic to a specific IP address.
- Work within Pan OS with the built-in query builder using the + symbol next to the filter bar at the top of the logs window.
- Palo Alto online reference: Filter Logs