From Palo Alto Networks NDM Security Technical Implementation Guide
Part of SRG-APP-000125-NDM-000241
Associated with: CCI-001348
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly forwarding logs to a syslog server helps to assure, in the event of a catastrophic system failure, the audit records will be retained.
Check if there is a Syslog Server profile. Go to Device >> Server Profiles >> Syslog If there are no profiles listed in the "Servers" window, this is a finding. Check if log forwarding is enabled for the Traffic Log and Threat Log. Go to Objects >> Log forwarding If the "Syslog" field does not list the Syslog Server profile for the Traffic Log, this is a finding. If the "Syslog" field does not list the Syslog Server profile for all of the Severity levels of the Threat Log, this is a finding. Check if log forwarding is enabled for the Configuration Log. Go to Device >> Log Settings >> Config In the "Log Settings - Config" pane. If the "Syslog" field does not display the Syslog Server profile, this is a finding. Check if log forwarding is enabled for the System Log. Go to Device >> Log Settings >> System The list of severity levels is displayed. If the "Syslog Profile" field does not display the Syslog Server profile for each Severity level (except "informational"), this is a finding.
Configuring the Palo Alto Networks security platform to forward logs to a syslog server depends on which log it is. Create a Syslog Server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the "Syslog Server Profile", enter the name of the profile; select "Add". In the "Servers" tab, enter the required information: Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". Enable log forwarding for the Traffic Log and Threat Log. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding Select "Add". The "Log Forwarding Profile" window appears. Note that it has five columns. Traffic Settings - in the "Syslog" column, select the "Syslog Server Profile". Threat Settings - select the severity levels that will be sent to the syslog server; for each selected level, select the Syslog Server Profile. Enable log forwarding for the Configuration Log. Go to Device >> Log Settings >> Config Select the "Edit" icon (the gear symbol in the upper-right corner of the pane) In the "Log Settings - Config" window, in the "Syslog" drop-down box, select the configured server profile Select "OK". Enable log forwarding of System Log: Go to Device >> Log Settings >> System The list of severity levels is displayed. Select a Server Profile for each severity level to forward. The "informational" severity level is optional; all others are mandatory. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured server profile. Select "OK". For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules: Go to Policies >> Security Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to "Actions" tab; in the "Log forwarding" field, select the log forwarding profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer