PANW-AG-000024 - The Palo Alto Networks security platform must log violations of security policies.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event. In addition to logging where sources of events such as IP addresses, processes, and node or device names, it is important to log the name or identifier of each specific policy or rule that is violated.

In the Palo Alto Networks security platform, traffic logs record information about each traffic flow, and threat logs record the threats or problems with the network traffic, such as virus or spyware detection. Note that the antivirus, anti-spyware, and vulnerability protection profiles associated with each rule determine which threats are logged (locally or remotely).

Solution

Go to Policies >> Security
Select 'Add' to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
In the 'Actions' tab, select 'Log At Session End'. This generates a traffic log entry for the end of a session and logs drop and deny entries.

Note: Traffic and Security Logs are required to be forwarded to syslog servers.

In the 'Log Forwarding' field, select a configured log forwarding profile.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y22M04_STIG.zip

Item Details

References: CAT|III, CCI|CCI-000133, Rule-ID|SV-228836r557387_rule, STIG-ID|PANW-AG-000024, STIG-Legacy|SV-77045, STIG-Legacy|V-62555, Vuln-ID|V-228836

Plugin: Palo_Alto

Control ID: d01f80a7a5b5caacbde9f2b6765daf48dbe1f1ff4158c6398acd0709e49cf188