Detections
Analytics
PANW-NM-000042 - The Palo Alto Networks security platform must back up audit records at least every seven days onto a different system or system component than the system or component being audited - 'Log Forwarding'
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly forwarding logs to a syslog server helps to assure, in the event of a catastrophic system failure, the audit records will be retained.This requirement is met by configuring the Palo Alto Networks security platform to forward logs to a syslog server or a Panorama network security management server. Note that the syslog server(s) must be backed up regularly, but that is not the focus of this requirement.
Solution
Configuring the Palo Alto Networks security platform to forward logs to a syslog server depends on which log it is.Create a Syslog Server profile:
Go to Device >> Server Profiles >> Syslog
Select 'Add'.
In the 'Syslog Server Profile', enter the name of the profile; select 'Add'.
In the 'Servers' tab, enter the required information:
Name: Name of the syslog server
Server: Server IP address where the logs will be forwarded to
Port: Default port 514
Facility: Select from the drop down list
Select 'OK'.
Enable log forwarding for the Traffic Log and Threat Log. Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding
Select 'Add'.
The 'Log Forwarding Profile' window appears. Note that it has five columns.
Traffic Settings - in the 'Syslog' column, select the 'Syslog Server Profile'.
Threat Settings - select the severity levels that will be sent to the syslog server; for each selected level, select the Syslog Server Profile.
Enable log forwarding for the Configuration Log.
Go to Device >> Log Settings >> Config
Select the 'Edit' icon (the gear symbol in the upper-right corner of the pane)
In the 'Log Settings - Config' window, in the 'Syslog' drop-down box, select the configured server profile
Select 'OK'.
Enable log forwarding of System Log:
Go to Device >> Log Settings >> System
The list of severity levels is displayed. Select a Server Profile for each severity level to forward. The 'informational' severity level is optional; all others are mandatory.
Select each severity level in turn; with each selection, the 'Log Systems - Setting' window will appear.
In the 'Log Systems - Setting' window, in the 'Syslog' drop-down box, select the configured server profile.
Select 'OK'.
For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules:
Go to Policies >> Security
Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.
Go to 'Actions' tab; in the 'Log forwarding' field, select the log forwarding profile.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y21M07_STIG.zip
Item Details
Audit Name: DISA STIG Palo Alto NDM v1r4
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-4(1), CAT|III, CCI|CCI-001348, Group-ID|V-62715, Rule-ID|SV-77205r1_rule, STIG-ID|PANW-NM-000042, Vuln-ID|V-62715
Plugin: Palo_Alto
Control ID: f7ad5bcc592d1103b13fcbf696e2889ceed765dabd40036193679dc7386f3465