From Palo Alto Networks ALG Security Technical Implementation Guide
Part of SRG-NET-000077-ALG-000046
Associated with: CCI-000133
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event. In addition to logging where sources of events such as IP addresses, processes, and node or device names, it is important to log the name or identifier of each specific policy or rule that is violated.
Go to Policies >> Security View the configured security policies. For any Security Policy where the "Action" column shows "deny", view the "Options" column; if there are no icons in the column, this is a finding. Note: The "Action" column and the "Option" column are usually near the right edge; it may be necessary to use the slide to view them.
Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select "Log At Session End". This generates a traffic log entry for the end of a session and logs drop and deny entries. Note: Traffic and Security Logs are required to be forwarded to syslog servers. In the "Log Forwarding" field, select a configured log forwarding profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer