Professional Documents
Culture Documents
Solution Architect
1
Palo Alto Security Reports v.1.0
1. Manage Reporting
The reporting capabilities on the firewall allow you to keep a pulse on your network, validate
your policies, and focus your efforts on maintaining network security for keeping your users safe
and productive.
After configuring the firewall, enabling security policies and profiles, you can sit back and focus
on other tasks, knowing that your network is secure. A good way to keep that peace of mind
without constantly checking logs and searching for anomalies is to use scheduled reports to keep
you posted on everything happening in your network.
2
Palo Alto Security Reports v.1.0
1.1.1. Predefined Reports
The firewall provides an assortment of over 40 predefined reports that it generates every day.
You can view these reports directly on the firewall. You can also view custom reports.
About 200 MB of storage is allocated for saving reports on the firewall. You can’t configure this
limit but you can Configure the Report Expiration Period: the firewall will automatically delete
reports that exceed the period. Keep in mind that when the firewall reaches its storage limit, it
automatically deletes older reports to create space even if you don’t set an expiration period.
Another way to conserve system resources on the firewall is to Disable Predefined Reports. For
long-term retention of reports, you can export the reports or Schedule Reports for Email Delivery.
The reports are grouped into sections (types) on the right-hand side of the page: Custom
Reports, Application Reports, Traffic Reports, Threat Reports, URL Filtering Reports, and PDF
Summary Reports.
To view Reports:
Select Monitor > Reports
To view the reports, click the report names on the right (Custom Reports, Application Reports, Traffic
Reports, Threat Reports, URL Filtering Reports, and PDF Summary Reports). Note that Custom Reports
won't be listed if you haven't created any.
3
Palo Alto Security Reports v.1.0
By default, all reports are displayed for the previous calendar day. To view reports for any of the previous
days, select a report generation date from the select drop-down list at the bottom-right of the page.
The reports are listed in sections. You can view the information in each report for the selected time period.
To export the log in CSV format, click Export to CSV. To open the log information in PDF format, click
Export to PDF.
4
Palo Alto Security Reports v.1.0
1.1.1.1. Application Reports:
Application report gives you information about top application with the most sessions, top-denied-
applications, top application categories with the most sessions. To view application report, select Monitor
> Reports and under the Application Reports section, choose one of the reports. You can generate reports
on Applications, Application categories, Technology categories, HTTP application, SaaS Application usage,
Denied applications.
5
Palo Alto Security Reports v.1.0
Use the report to gain visibility into the SaaS application traffic that is running on your network. The report
identifies the application name and subcategory of each SaaS application and details the number of
sessions and bytes for each application on the selected date. In addition, the report identifies the number
of threats detected in each of the applications.
To investigate any suspicious traffic, click the application name or category to view more details in
the Application Command Center.
6
Palo Alto Security Reports v.1.0
1.1.1.3. Traffic Reports:
The Traffic report gives the information about top security rules, source, destination, countries with the
most sessions.
7
Palo Alto Security Reports v.1.0
1.1.2. User or Group Activity Reports
User/Group Activity reports summarize the web activity of individual users or user groups. Both reports
include the same information except for the Browsing Summary by URL Category and Browse time
calculations, which only the User Activity report includes.
You must configure User-ID on the firewall to access the list of users and user groups.
To Generate Group Activity Reports, follow the below procedure:
8
Palo Alto Security Reports v.1.0
2. Click Add and then enter a Name for the report.
3. Create the report:
User Activity Report—Select User and enter the Username or IP address (IPv4 or IPv6) of
the user.
Group Activity Report—Select Group and select the Group Name of the user group.
4. Select the Time Period for the report.
5. Optionally, select the Include Detailed Browsing check box (default is cleared) to include detailed
URL logs in the report. The detailed browsing information can include a large volume of logs
(thousands of logs) for the selected user or user group and can make the report very large.
6. To run the report on demand, click Run Now.
7. To save the report configuration, click OK. You can’t save the output of User/Group Activity
reports on the firewall.
9
Palo Alto Security Reports v.1.0
1.1.3. Custom reports
b. A difference between the Summary and Detailed URL database, for example, is that the
Summary Database can report which categories and domains were accessed x number of
times, while the Detailed Log can report exact URLs accessed from a certain source. For
most reports, we recommend using the Summary Databases.
4. After selecting the database to create your report, enable the schedule and set a timeframe. An
unscheduled report can be run only manually, but allows smaller timeframes, while a scheduled
report, which generates and stores reports historically, can be configured to automatically email
a daily, weekly or monthly report.
5. If you'd like to look at some sample reports, you can Load a Report Template from the
predefined reports, which you can then customize. Start by loading the Top Applications
template:
10
Palo Alto Security Reports v.1.0
6. The Selected Columns and Database are automatically loaded from the template, you
need only to change the Name and Time Frame.
11
Palo Alto Security Reports v.1.0
7. If you click the Run Now button, a sample report is generated.
12
Palo Alto Security Reports v.1.0
8. If you head back to the Report Settings, you can add more details to the report by adding
the 'Threats' column, changing the 'Sort By' to Threats and gouping the data by Day.
9. You can also use the Query Builder to tune the report a little further. If you want to filter out
DNS and port mapper from the report, you can create a filter for application not equal to DNS
and port mapper.
13
Palo Alto Security Reports v.1.0
The report will now no longer contain these applications.
14
Palo Alto Security Reports v.1.0
10. If you go ahead and click OK and Commit, the report will be added to the scheduled
reports jobs that run every night and become available in the custom reports viewer:
11. After you've created a few of these reports, you can go ahead and add them into a report
group.
12. The report group can then be added to an Email Scheduler so it is automatically mailed to
you and your coworkers.
13. If you haven't created an Email Server Profile before, it should look somewhat like this:
14 You can send a test email to make sure your configuration is working as expected before
committing and waiting for the first report to appear.
15
Palo Alto Security Reports v.1.0
16
Palo Alto Security Reports v.1.0
1.1.4. Botnet Reports
The botnet report enables you to use heuristic and behavior-based mechanisms to identify
potential malware- or botnet-infected hosts in your network. To evaluate botnet activity and
infected hosts, the firewall correlates user and network activity data in Threat, URL, and Data
Filtering logs with the list of malware URLs in PAN-DB, known dynamic DNS domain providers,
and domains registered within the last 30 days. You can configure the report to identify hosts
that visited those sites, as well as hosts that communicated with Internet Relay Chat (IRC) servers
or that used unknown applications. Malware often use dynamic DNS to avoid IP blacklisting, while
IRC servers often use bots for automated functions.
Configure a Botnet Report
You can schedule a botnet report or run it on demand. The firewall generates scheduled botnet
reports every 24 hours because behavior-based detection requires correlating traffic across
multiple logs over that timeframe.
1. Define the types of traffic that indicate possible botnet activity.
Select Monitor > Botnet and click Configuration on the right side of the page.
Enable and define the Count for each type of HTTP Traffic that the report will
include.
17
Palo Alto Security Reports v.1.0
The Count values represent the minimum number of events of each traffic type
that must occur for the report to list the associated host with a higher confidence
score (higher likelihood of botnet infection). If the number of events is less than
the Count, the report will display a lower confidence score or (for certain traffic
types) won’t display an entry for the host. For example, if you set the Count to
three for Malware URL visit, then hosts that visit three or more known malware
URLs will have higher scores than hosts that visit less than three.
Define the thresholds that determine whether the report will include hosts
associated with traffic involving Unknown TCP or Unknown UDP applications.
Select the IRC check box to include traffic involving IRC servers.
Click OK to save the report configuration.
2. Schedule the report or run it on demand.
Click Report Setting on the right side of the page.
Select a time interval for the report in the Test Run Time Frame drop-down.
Select the No. of Rows to include in the report.
(Optional) Add queries to the Query Builder to filter the report output by
attributes such as source/destination IP addresses, users, or zones.
Select Scheduled to run the report daily or click Run Now to run the report
immediately.
Click OK and Commit.
18
Palo Alto Security Reports v.1.0
When reviewing the report output, you might find that the sources the firewall uses to evaluate
botnet activity (for example, the list of malware URLs in PAN-DB) have gaps. You might also find
that these sources identify traffic that you consider safe.
19
Palo Alto Security Reports v.1.0
1.2. Disable Pre-define Reports
In some scenarios, it may be desirable to disable the predefined reports that are on the Palo Alto
Networks devices. For example, the device may be busy and the predefined reports generate
more management plane (MP) CPU usage. Another reason to disable the predefined reports is
the configuration and use of custom reports.
In PAN-OS, all reports (predefined reports, specific reports, group of reports) can be disabled by
a Palo Alto Networks firewall administrator.
Steps to disable predefined reports
20
Palo Alto Security Reports v.1.0