Palo Alto Logging Best Practicies

Symptom:

Palo Alto Networks recommends *only* enabling logging at the end of the session.  Logging at ‘start’ doubles the size of the traffic logs, should only be used for specific rules (e.g. when debugging a service that has long-lived sessions) and only for as long as necessary (minutes, hours, not days, weeks).  Additionally, Palo Alto recommends creating ‘allow’ and ‘deny’ rules with NO logging for traffic that doesn’t require being logged (DNS, ICMP, spoofed RFC-1918, etc.)  This reduces the amount of log entries generated by low-value traffic.

When using a Tap interface (e.g. from a SPAN or NetOptics), creating “Deny” rules will cause a high level of management plane CPU utilization, because the Deny rules do not create state, so will end up triggering a policy lookup for every packet that is part of that same session (because it’s not really being denied as we are on a SPAN port; Unlike some other products, PA does not allow spoofing reset packets to enforce Deny when using a Tap)).   It is strongly recommended that all Tap interface rules are always Permit rules.

Currently PAN-OS supports cleartext syslog over UDP, standard FTP (scheduled log export) and Panorama, it does not support signed logs.  If encryption is required, it is possible to encrypt syslog messages is to setup a service route for syslog and point to a tunnel interface. This would force syslog packets to be encrypted when sent through the tunnel.

Regardless of whether logs are forwarded to a remote logger (Syslog), logs are always written locally.  Once a day, the firewall will look at how much space is required for the log database. When the space used reaches 80%, the firewall will purge logs (oldest first).  You can adjust the quota for each type of logs, and receive an alarm when logs approach the quota.  If the logs reach 100%, this will not affect Firewall performance, it will cause the management interface to become sluggish.

To view the log quotas, use the GUI (Device > Setup > Management), or via command line run “show system logdb-quota”.

Problem:

 Log volume is high, or a high level of management plane CPU utilization, management interface has become sluggish..

Need to encrypt logs.

Need to manage local log storage.

Solution:

  • Only enable logging at the end of the session.
  • Create  ‘allow’ and ‘deny’ rules with NO logging for traffic that doesn’t require being logged
  • Do not create “Deny” rules on Tap interface zones, only ‘Permit’ rules.
  • If encryption is required,  setup a service route for syslog and point to a tunnel interface.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.