Palo Alto PCNSA – Chapter 11 – Monitoring and Reporting part 4

7. 11.7 Lab Monitoring and Reporting

In this video, we are covering Pcnsa 210, and this is our chapter eleven, monitoring and reporting. Now this is the 7th video of chapter eleven, which is our lab. So 11. 7 lab on monitoring and reporting. So on this lab, what we’re going to do, the first thing is we’re going to explore the session browser, which is actually the sessions that run in, currently running in your firewall. So first we’re going to create some sessions and then look at browse those sessions. We’re going to investigate traffic via the ACC and logs as well as we’re going to export traffic log to CSV file, and then we’re going to use the Excel to open that file. We’re going to create a custom report as well as at the end we’re going to configure and verify our syslog.

So this is the lab topology that I will be using to demonstrate monitoring and reporting for you. And I have a PC on the inside zone, which is going to create or generate traffic towards the outside. And we’re going to monitor that traffic on our Firewall so that’s through the session browser as well as we’re going to generate some traffic from the Kali Linux outside towards the bundle server and we’re going to monitor that traffic as well. And then we’re going to look at the ACC and we’re going to create at the end we’re going to create a syslog server with that IP address where we’re going to send our syslog messages and well view them from our syslog application. So there’s quite a few things to be done on this lab as well.

So if I go to my firewall and start demonstrating, monitoring and reporting, the first thing we see when we log on to Firewall, we see the dashboard tab, which is very important, and we see quite useful information here. So one of the things that I do add is this interfaces, which I like to see the status of my interfaces right away, other information like software version, it’s important, the application, threat version, application version, antivirus version and so on, there’s important stuff on the dashboard. Very quick glance what’s happening with your firewall. We can update, we can add other widgets, just so you remember, for example, the high availability for the next lesson, we’re going to add it and see it what’s happening, and we can update this either manually or we can set it to 1 minute, two minutes or five minutes.

Okay, so like I said, the first thing we’re going to look at is the session browser, which is located under monitor, and towards the end we have a session browser. But this will display the current sessions on your firewall. So, current sessions, because it’s not a production firewall, there’s only one session happening here. But the first thing is I’m going to actually create some sessions from my inside machine, which is here towards the outside, from that address, 192-1681, 200, and we’re going to look at those sessions. So if I refresh, there’s only one session here, okay? So if I access my PC in the inside and I’m just going to access some files from chapter six or five that we’re not allowed to access. For example, all of these will be blocks. So at the same time I’m creating threads so we can monitor stuff.

Let me access. So I created some sessions here. If I go back to my Firewall and in the session browser, if I refresh that, I see some extra sessions. Well, that’s good. This is the one that I want to see. And the IP address is 192-1681 200. And as you see, that’s the inside zone machine. And we can see those address is going from inside to outside to outside, from this address to that’s a DNS, or that address maybe. And we can see the inside, the source port, destination port and the protocol ID and the rule as well. So it’s quite a lot of information here, but if you want to see more detailed information, I have to click on this plus, and that will give me detailed information about that single session. Like for example, session ID 3579 and flows for example, client to server flow, which is from that IP address to that IP address and port numbers and then returning traffic server to client.

As you can see, the server doesn’t know the private IP address, it knows only the public address. So I can see that that address has been translated. Okay, so those were the sessions from the inside machine and as you refresh, those are going to start disappearing because they’re not going to be there forever. So now I’m going to create some more sessions. As I’m clicking them, you can see that each one is disappearing. I’m going to create a new one from my Kali Linux towards my Demilitarized Zone server. So from here to here, some sessions and then we can see them here. I’m running a script vulnerability testing from to my Demilitarized Zone server. So if I just run that, that’s going to start creating loads of sessions, right? So if I refresh now, you will see they should come.

Okay, let’s go back and try again and see what’s happening. Yeah, it’s happening, it’s going. And there we go. Now we can see the sessions from the Dimitrizones Kali Linux to DMZ. So from 21, that’s my Kali Linux machine and that’s my democratizer server. So again we can look at those sessions coming from sources from outside. So you can see sources from outside going to the Demilitarized zone, that’s the IP address and so on, same stuff. And we can see the state as well, which now says in it initializing state while the other one was active. Okay, great. The next thing we’re going to look at is the app scope and this will display the gainers and losers or five gainers and loser or bandwidth consuming apps, for example. And then we have to stay on the same tab. We go to monitor, we have apps scope and we have a summary.

And in the summary we can see like with the gainers and losers on the last five, top gainers of application consuming bandwidth. Here, for example, we can see top five bandwidth consuming sources, top five bandwidth consuming apps. So important stuff here. And we can see the change monitor and this displays the changes over a specific time period. So for example, let’s say in last 24 hours, these are the changes of apps coming in. So browsing is going up, unknown, UDP is going down and so on. And then threat monitor, what’s the threats around the world or what’s the threats in our firewall? And then we can see the threat map where they come in, those threats. And the firewall is pointing downwards under the screen here. And if you need to put it in the correct place like it’s in London, we need to change the coordinates and we can see the threat, for example, last 30 days. And the same thing, we go for the network monitor and the traffic map.

So there’s quite a lot of information here, what’s happening, what sort of traffic is coming in and out of your network. Change monitor will be one of the important things. We see gainers losers of different apps, what’s coming in and going out. And you can either top 10, 25, 50 or you can see top 100. Okay, again, not a lot to see and not very exciting here because this is just a training firewall, it’s not a production firewall. Anyway, the next thing we’re going to see is the application command center, which is right next to the monitor. It’s got its own tab, application command center. And this is very important to see what’s happening with your firewall. And this is interactive graphical summary of the application users, URL and threads traversing our network or our firewall.

And there is displayed in four tabs. We can have a network tab, threat activity tab, blocked activity and tunnel activity. So you have four activity tabs as well as you can add your own ones. I can’t go to details, otherwise this video will go very long. But anyway, this will be built from the firewall logs to provide visibility of all traffic that’s going through your network and information about threats on your network. And you can see this from last hour. So we can drill down to for example, last 24 hours, we can see what sort of applications and again we can look at, for example, application usage. So web browsing, we have quite a few web browsing, source IP activity, destination IP activity, important stuff here.

So if I can go down to, for example, let’s see this, you can go and put it on the global filter and then all the widgets on this ACC tab will be built from that global filter. For example, if I put 191681 200 and I click this arrow here, that’s going to build all the widgets from that IP address. So everything to do now is from that IP address. Now if I can go here and say, okay, well, web browsing, I want to look at the web browser and I go to the jump to logs so I can pivot from here to the logs and kind of like it will do traffic log and it will filter. Just ask what I searched. You see, I searched the IP address that I have plus the web browsing. So anytime they went to the web browser from this IP address and you can see there’s a lot of threads here that I created is displaying.

Okay, the next thing is what we’re going to do is we’re going to look at the custom report. So we’re going to look at creating some sort of reports. For example, by default the firewall will create 40 reports over the night at 02:00 a. m. . Actually we’ll do these reports, but they are very detailed and you know, maybe you don’t want them in so much detail. Maybe you need to report to someone about something that’s happening in your firewall rather than send them detailed report. You can create your own custom report and that will be under monitor. And if you scroll down we have PDF reports, okay? And then we can have a managed custom report and reports. Well, this report here will be all the reports that will be created by default.

Or we can create our own one. So manage custom report. So I’m going to create a report and this is, well, I’m just going to call it Astrid rule hit or rule hits. So I’m going to look at what my firewalls rules, security rules I have, how many hits they have in are they having lots of hits or they don’t have any hits and so on. That’s important description. Obviously in production you’ll put a description here, application statistics, for example. Here we have a different statistics. So whatever we press here then the available columns will be available, added or populated. So what are we looking for is traffic, detailed logs on traffic and available columns are added to that. And this is alphabetically ordered. So wherever you want to look, you can find alphabetically here.

What we want to look for is action. So is it allowed deny or so on? We want to look at, for example, hey, we can add whatever we want, really. We can add bites, right? Say and we want to add, for example, count. And for example, we want to add a rule. So if I go further down, I’ll find a rule and add it. I can have a rule unique ID if I want. Universal unique ID if I want. Let’s do that, that’s fine. And if I do schedule here, this is going to run on the normal, like scheduling on the firewall at 02:00 A. m. Or if I can do it, I can run at any time not scheduled. Scheduled means it’s going to run every night. You can run time frame and you can sort these by, for example, bytes bites, send receive packets, let’s say packets and we put top, say 25 and we can group them.

So for example, we can group them by day, let’s say that. And this one we can run query builder. So query builder, we can add extra filters. For example, in this rule for some specific IP address. For example, if I’m concerned with I’ll put a specific IP address or just go in more detail about querying this report now I can run the report now and just see what how it looks like and if I’m happy I can save it. So run the report and this report there we go. This is what we have day. This rule was allowed and this rule was out to demilitarize zone and usually hits 19,000 because I’m creating so many attacks from the Kali Linux, we have 19,000 hits and 27. 2 megabytes. And we can have another rule, the in, same day into out and five, 5. 7 say you can see the information and I can export this in PDF, CSV or XML.

So if I export a PDF and then you can print it and display it to someone, give it to someone. Okay, here is what I’ve created, the rule, the custom rule that we just created, okay? So if we’re happy with it, so we can just save it, that’s it. And then because it’s scheduled, it’s going to run with the firewall, with the schedule of firewalls. And if you want to check when the firewall is going to run, you need to go to device. Well, when the reports are going to be generated, set up management. And then we have a down here we have a login and reporting. And if you click on the gear icon, you see that it’s a 02:00 A. m. . So log export and reporting, it’s a 02:00 A. m. . That’s how we can change this as well, if we want to.

For example, the next thing we’re going to do is we’re going to actually we’re going to export our traffic, our traffic log to CSV file. Now by default that exports 65,535 lines and that’s a maximum or rows, that’s a maximum. So for example, let’s just, let’s just export 50 rows, right, instead of all that and you can change it. So I wouldn’t change it, it doesn’t matter really. Okay, so I’m going to go to my monitor and look at the traffic log. So logs, traffic, take off this filter, so clear the filter and I will see all my traffic that’s happening at the moment. And now if I want to export this to say a CSV file, this is manually without doing reports, then I have to press here, this icon here and export to CSV and this will show you. Now change it to 50, but that’s not going to take effect till I press commit.

So download the file and we can see the log. Okay, that’s our log here, that’s our log here. 665,535 lines or rows. It’s important stuff if you want to export it manually. The log, he can see it. Okay, excellent. The next thing we’re going to do is we’re going to configure and verify syslog. Now, syslog you should be familiar with what is syslog about? When we grab the logs from instead of just you in syslog messages individual machine, we can send them to the server and we can gather them from all over place, all over our network devices, Ie printers, routers switches, our firewalls. They will send the syslog messages to a centralized location and then we can look at it from there. For example, I have a systog application.

It doesn’t have to be a server, it could be a machine, just a normal regular client machine in production, obviously you make a fully fledged server. But I have a Syslog application here, installed this Kiwi syslog server in my in this client machine. And already we have some from what we configured yesterday. So let me clear that, clear that display and this is what I’m going to use as my syslog servers. And we can collect, we can collect from all the devices into here and then we can view our Syslog messages here. The thing is that obviously in production you would not use this. You would have a proper fully fledged server with Syslog feature installed. And then because there will be more space, you need a lot of storage for syslog.

Anyway, to configure our syslog we need to go to device tab and then we have to create a Syslog server profile which is located on server profile and syslog. And then I have to create it here. So that’s going to be on my profile for syslog. And then I’m going to configure a forwarding so we can forward a log forwarding and then we’re going to attach it to a policy. Okay, let’s create it. So ads and in the name, I’m just going to call it Astrid and Systog. And obviously in production you will use more meaningful names and all that. But here we go. Add and the name. Well, that machine is in windows seven. So I’m just going to say windows Seven or Wind Seven? And that Windows Seven machine IP address is 192-1681 206 istalk.

We can send it as a three ways. You can either send it as a best effort delivery reliable, which is TCP or encrypted SSL. Now, if you’re not sure if you’re concerned with messages being a clear text or sending a clear text, then we have to configure with SSL which is 6514 is a port number. Now for that we need to create certificates as well. But I’m not going to do in this demonstration, we did it on the lesson, but here I’m just going to do it. UDP right, so five, one, four, and then the format, we have two formats. BSD is a default, and we have IETF. We can just use BSD. And then we can change the facility as well. Whatever facility you want. What is the severity, what kind of syslog messages you want to send.

And as well as we can change the format over syslog. For example, if you don’t want to see the date, which will be crazy, but if you don’t want to see the date, or maybe the sequence number, or you just want to see what format, what information you want to see on your systog messages, okay, done. That’s it. So I created a systogether there, and I’m going to create for example, I’m going to create a log forward in. So if I have to go to objects and scroll little bit down here as a log forward in, which I’m going to call for that systock server. So add that, and I’m just going to call it Astrid log forward. And in there I’m going to add and you have to give another name lots of times to give a name. So this is one forwarding method. So Astrid forward one, for example.

Then we can choose what do we after you put the description in production, you can choose the log type. Do you want to send traffic threads or tunneling information? Data authentication, URL wildfire. So I want to send traffic here. I want to send my log. And then again, with the filter builder, it’s hard to say you can actually build different type of filters. So you can just say, well, I don’t want to send those type of logs. I want to send those type of logs, and so on. I’m going to just leave it as all logs. And all this stuff I’m going to ignore because we have went through the lesson. But I’m just going to use a systog here. So add that. And I have my syslog server that I created and click okay, again.

And this log forward in, I’m going to add it to my policy. So go to policies. Security policy. So I click on one of them and go to the action and then log forward in. I can add here and that’s it. And after, please commit. We can go on the machine on the Windows Seven and check it. Okay, now the commit has completed successfully. If I go to my Windows Seven machine, there should be some logs coming up very soon here. Now, let’s see. Okay, we just had to wait a few minutes to start seeing some logs and they start coming. That’s my IP address of my route, of my firewall, and there’s some log messages coming there. That’s it. Excellent.