PANW-IP-000010 - In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.

Information

It is critical that when the Palo Alto Networks security platform is at risk of failing to process audit logs as required, it takes action to mitigate the failure.

The Palo Alto Networks security platform performs a critical security function, so its continued operation is imperative. Since availability of the Palo Alto Networks security platform is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.

Solution

Note: Overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform.

Go to Device >> Setup
In the 'Logging and Reporting Settings' pane, select the 'Edit' icon in the upper-right corner.
In the 'Logging and Reporting Settings' window, in the 'Log Export and Reporting' tab, deselect (uncheck) the 'Stop Traffic when LogDb Full' checkbox. If it is already not selected, do not change it.
Switch back to the 'Log Storage' tab.
Select 'OK'.

If no changes were made, it is not necessary or possible to commit a change. If a change was made, commit changes by selecting 'Commit' in the upper-right corner of the screen. Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5b., CAT|II, CCI|CCI-000140, Rule-ID|SV-207691r557390_rule, STIG-ID|PANW-IP-000010, STIG-Legacy|SV-77143, STIG-Legacy|V-62653, Vuln-ID|V-207691

Plugin: Palo_Alto

Control ID: de74407ea053708ac4a4443e71196777c26004a2950a2c4b90a9188fe58ec4f0