Palo Alto PCNSA – Chapter 11 – Monitoring and Reporting part 2

3. 11.3 Reports

In this video we are covering Pcnsa 210 and this is our Chapter Eleven Monitoring and Reporting. Now this is the third video of Chapter 1111. 3 reports and same as from the other two videos 11. 1 and 11. 2. I’m going to dive in straight into my Firewall and we look at reports from here. So in 11. 1 we looked at Dashboard Functional category 11. 2, Application Location Command Center and for report we need to go to monitor functional category and reports are located towards the end. So we see PDF reports. We can manage PDF summary, user activity reports, SAS application report groups and email schedule. We can create our own custom reports and we can see reports here. Any reports that run during the night, like we set at 02:00 A. m. To run the reports, they can appear here.

My Firewall is a virtual, so it doesn’t have that. 02:00 A. m. Is not on at that time. And that’s why we don’t see any reports here. We can actually control the time the report actually runs. And to do that we need to go to Device and then on the setup management and towards the end we see we have login and report settings. If we click on the gear icon here and we can see the reports on the log, export and reporting, they run at 02:00 A. m. Here and then we can change it to run the different report. So they’re going to run whatever reports they create. They’re going to run at two em and we have a predefined reports, lots of predefined reports, four categories and then loads of subcategories. For each individual category we have an application reports, traffic reports, threat reports and URL filtering reports.

Different type of reports are going to be running if I go back to the monitor and we can create our own summary report. Now, the summary report is the whole every report that you have there and it’s 18 tabs. By default it’s 18. You can’t have more, you can have less if you want to, but they’re going to be summarized into one piece of paper and you can see it nice and easy. Maybe your management don’t want to detail report, they can just see the whole just summary. I can add that. So click Add and you can see these are the default tabs that we can have items for reports that we can have, we can remove them. So for example, say the top attackers by source countries I don’t want that. And by destination countries I don’t want that.

So I can add two new ones. Maybe top denied sources and Top denied destinations. If I want to add a new one, I’ll get a warning that says items 18 items they are there can’t have more than that because they won’t be able to fit on one page. And if I give it a name so I’ll call it Astrid. Summary report. And this report will run at 02:00 A. m. And it will generate it and then we can create an email schedule which we can send this report. And to do that you go to email scheduler and this report for example will be emailed to whoever you put it on the email schedule. So say add and I can’t test it because I don’t have an SMTP server but this is how you would add it. So give it a name. So email schedule and what do we want to send? We want to send the one that we just created.

Okay, the next report that we can have, it’s your own user activity report. So we can create a user activity report by a name if we have a user ID, or we can give an IP address by IP address we’re not going to say run this but decided to create it report and type by a user. And I can put an IP address here, for example, IP addresses 192168 or one of the machines in my network. And I can have additional filters. We can put a filter builder here or, for example, we can add for time period. For example, every 15 minutes or last 15 minutes, I could be lost. 24 hours include detailed browsing, but that’s going to generate longer report. And we can run the report now and click OK. And we can schedule this to be sent to us anyway. Then we have something called the SAS Application Usage and by default the report includes detailed information about the top SAS and non SaaS application subcategories.

I don’t have any SaaS application but you would create it here and then we have a report groups now, report groups if I add a new one here, I can create a set of reports that the firewall can compile and then send them as a single aggregated PDF report. So for example, let’s say Top Application or Threat Trends top Applications, maybe Top Attackers, destination attacker sources and give it a name. So let’s just say asterisk Report group and then the title what is going to appear on the top of the page because it’s going to be one page yet. So top report, whatever and click OK. And this is going to be generated at 02:00 a. m. , it’s going to run this report and we can even email this report. For example, if I create an email schedule, sorry, I can send that report as an email.

For example, report group here and I don’t have an email SMTP service. I can’t really send an email, I can’t send an email but if you did you would create email profile and then that report will be emailed to whoever you want to. Okay, we can manage a custom report, we can create our own reports. So if I add a new custom report, let’s just call it asterisk custom report and the database, for example, we can say Application statistics and these are your top application statistics, traffic threats and this report. We can schedule to run last Calendar Day, maybe every day, seven days, whatever you want to. And we can sort them or we can group them. And what do we want to run? For example, something with thread. These are alphabetically order, so threat category, I will add that. Threat content name, I’ll add that and click OK.

4. 11.4 Log forwarding

In this video we are covering Pcnsa 210 and this is our chapter eleven, Monitoring and Reporting. Now this is the fourth video of chapter eleven, which is 11. 4 log forwarding. Now, like with the other lessons in chapter eleven, I’m going to go straight into my firewall and we’re going to look at log forwarding there we looked at Dashboard Application Command Center or ACC. We looked at the reporting and now we’re going to look at the log forwarding. So now if I go to monitor and traffic log so we can see the traffic logs that’s happening in our network and say that I do want to export this because obviously our firewall doesn’t have enough memory to keep all the logs as we need to. So if I want to export all this and I can do it manually, or I can do it dynamically, but manually, I’m going to show you.

Now I have to click here and this will export them in the CSV format CSV and I have to use any application that can read that format. And what this is going to export for me is going to export 65,535 of these lines. Whatever I got here is going to export all these lines into CSV format and then I can open like for example Excel application and read all this information. And that’s what we’re going to do, right? So if I click let me get rid of these and if I just hover above that you can see this says it will say Export to CSV and let’s do that. Okay, it’s already done. So we can click Download File and this will download the log file and you can see Log CSV. It doesn’t have a date or anything like that. So let me just open that and we will see the 65,535 lines and that’s a maximum of entries that we can add.

For example, we can fix that as well if we want to. We can see the receive time type traffic, the serial numbers are there as well and we can see the threat, we can see the configuration version, generated time source address, all the information that we see under the traffic log. We can see it here, but we’re going to see 65,535 lines and that’s the maximum. And say that we want, for example, maybe to reduce the amount of entries. So maybe they just want to see the first page or anything like that. To do that, to reduce the entries, we need to go to the same where we went in the yellow video. Go to device. Same place. So go to Device, set up management management and then towards the end we have a login and report settings.

We were here on the 11. 3 video. So if I click on the gear icon here and last time we looked at the time when we can change it under Log Export and Reporting, we looked at the time, the runtime this time we look at the maximum rows in CSV export 65, five, three, five. So here we can change, for example, how many rows. Maybe I just want ten rows. Yeah, so change that to ten. And if I go to policies, sorry, if I go to monitor and say the traffic thread monitor and same, same as the traffic, I want to go look at the thread and export them in a CSV format. And again, the file name you see just says log. So obviously you need to change those. So we can see now the threats. So the type is the threat and threat content is vulnerability when received and so on.

You can see the information here. Okay, excellent. I’m going to get rid of both of them off there. Okay, so if I go back to my slides and we have to look at where we can send these logs. Now you need to forward the logs because obviously, like I said, the firewall doesn’t have enough memory to keep the logs into memory because it doesn’t have enough storage yet. So the best place to export the logs and that’s the default for major enterprises is a Panorama, which is a dedicated management appliance or a virtual machine. But if we run a dedicated M 100 that has eight terabytes for loaves, now for medium sized company that’s enough. But bigger companies, even M 500, which has 24 terabytes, maybe is not enough.

And for that there is a solution for that as well. Anyway, M 100 has the eight terabytes, m 500 has 24 terabytes maximum storage. We can export them to SNMP or we can export it to the Security Information and Event Management Server. We can export them to Http or Is email. Now imagine that even 24 terabytes M 500, it doesn’t do it for you. We are a bigger company than that. Then we have a cortex. Data lake. Now, Cortex Data Lake was known as a login services and it’s a cloud based centralized login storage and aggregation. Now, this has two geographical regions for Cortex Data Lake, which is one in North America and Europe. And here you can store as much as you want.

There’s no limit. Anyway, if we need to, for example, say that we want to do log forwarding and we have a Syslog server inside our company, and Syslog server could be for example, even the PCA has a KV syslog server and I can run the ICIS lock server there. It doesn’t have to be like a single machine. Obviously you can have if you’re a bigger company, you can have an own server for everything. But if it’s small, you can even run it as I run it on Windows Seven, right? And to do that, you first need to actually identify that server. And we’re going to need to do that under several profiles which is located on the device. And we go scroll down here and we have a server profiles and we have a syslog.

So syslog server. Say I’ll add a syslog server and I’m just going to give a name astrid syslog server and I will add a new syslog, which I’ll give it a name. This is my windows. Seven. And the IP address of that syslog of that machine is 192-1681 200. Now, syslog messages, I can send them as UDP that’s port. So it’s a best effort. Delivery five, one, four or TCP, which is a reliable delivery, same port or Encrypted, which is 6514, which is SSL format. You can choose a BSD format or IETF and the facility, what severity kind of these logs you want to use and click okay, log user will send everything. So I create my syslog server and then after I create my syslog server, then I have to create a login log forwarding which is not located under objects.

And if I scroll further down here, I have a log forward and I’ll click add now in the log forwarding, just give it a name. So astrid log forward, give it a description and I’m going to add a new log forward. And here I can choose what do you want to send? What type do you want to send a traffic log, thread log, the data authentication tunnel, URL or Wildfire? Let’s say traffic log and just say give it a name there. So traffic log and I can add the filter. So I can either send them all logs or I can use a custom filter builder to build different filter. Maybe just use an IP address, certain IP addresses or maybe Nat interfaces, whatever. You can choose a filter. Here I’m just going to put all logs and I’m going to forward in methods. We can have panorama which we don’t have in our network.

What we could have, we could have SNMP server, email syslog or Http. Well, I have a syslog, so I’m going to add that and I’m going to add the one I just created and click OK, now I click here. Okay, here as well. So we have a profile, a syslog server profile that we have a log forwarding method which I’m using that syslog. And then I’m going to add this to security policy. For example, if I go to policies and I’ll choose inside to outside security policy and under the action, I can have log forward in and use the one that I just created. So this will send that log into that kiwi server and after I commit that, but I’m going to show you this syslog on the next video because that’s made for the syslog anyway.