Timing is everything – when applied to cybersecurity incidents, that’s an understatement. The longer an attack is active within an organization’s environment, the more damage it can do. Today, experts place the average dwell time of an attack (from the moment an attack is introduced until it is stopped and rendered ineffective) at hundreds of days. That’s way too long to give an attacker virtually unfettered access to critical information and resources.

Unfortunately, cutting down that time is easier said than done. Throwing more resources at the problem is often not possible or practical (particularly given the skills gap facing most organizations). A more reasonable approach is to improve the focus and effectiveness of the resources at hand. One way to do this is through automation. This is likely why we are seeing more and more vendors adding intuitive, automated capabilities.

For example, the latest release, PAN-OS® 8.0, for the Palo Alto Networks Security Platform, contains a Filtered Log Forwarding feature that enables an automated response (optional) to a detected attack that improves the organization’s ability to contain and shut it down. The feature allows notifications to be sent when an attack is detected, so better, more timely decisions can be made (or automated) to reduce its impact.

Defining Log Forwarding Profiles before PAN-OS 8.0

Palo Alto Networks has supported the forwarding of log events to external monitoring technologies for a while, however, the forwarding decision was “all or nothing” in the past. An organization would configure a Log Forwarding Profile, which matched the type and severity of an event to a specific forwarding destination. Anytime that event was detected in traffic, which was allowed by a particular Security Rule, the firewall would forward a duplicate of the log to the desired destination. The forwarding was done in real time while the firewall was processing traffic.

Organizations can now define the characteristics they would like to see, such as log type and severity of the event, before they are forwarded.

8.0 – Refining Matching Capabilities for Log Forwarding Profiles

They can also take advantage of a new Filter Builder, which makes it easier to support precise customization of the matching criteria required for forwarding.

8.0 – Filter Builder for Precise Customization

In addition, organizations have more choices as to where they send this information. Palo Alto Networks added HTTP as a destination type to the existing types of monitoring that has been supported in the past. These HTTP destinations are web services that can receive specifically formatted web calls and respond accordingly. For example, a Help Desk ticketing system could automatically generate a ticket with associated tracking and priority handling for a particular event, or a Network Management system could quarantine network devices, via VLAN assignments, in response to a detected compromise.

As a result, organizations can now split out events, such as those with a high or critical severity that occur in a specific employee network (e.g. the Chicago or Denver Office), and forward them to specific monitoring technologies to invoke a specific action, or ensure the analysts in the best position to address an event (e.g. those responsible for the Chicago or Denver office) see the information as soon as possible.

Ultimately, this enables one of the most interesting and valuable enhancement in the release – an automatic response by the firewall to event data. The way these responses are defined is through the Built-in Actions tab within the associated Log Forwarding Profile. The Log Forwarding Profile contains the matching criteria that can be coupled with a Built-in Action to enable an automatic response.

Built-in Actions for an Automatic Firewall Response

Through the Actions tab, organizations can choose either the Source or Destination address associated with the event and add a firewall-managed Tag to it. This same tag can then become membership criteria for a Dynamic Address Group, so it can be included in a firewall Security Rule to block particular traffic related to it. This combination allows the firewall to respond automatically to detected events, with no administrator intervention.

The New Capabilities in Action – Example

Let’s assume we want to protect our network from users that get infected by malware. We need to set up the firewall to notify the helpdesk, via Log Forwarding, when threats are detected and block the infected endpoint from communicating with potential external Command and Control servers, which can prevent critical, sensitive information from getting out of the organization.

We begin by defining the monitoring services destinations for the helpdesk and security responders, who monitor SIEM solutions. We’ll also back it up with email alerts. We create entries for each of these destinations under Device->Server Profiles.


Next, we create the Tag we plan to assign to the detected Source Address in threat events.

Then we create a Dynamic Address Group using this tag as its membership criteria.

Next, we create the Security Rule that blocks external communications for this group.

Now, we create the Log Forwarding Profile that sets these actions in motion.

We use the Filter Builder to customize the event requirements to be of Medium or High Severity and generated only from an internal address.

We also add a Built-in Action to tag the source address.

Now that we have all these elements in place, we can assign this new Log Forwarding Profile to the various Security Rules that might detect these threats. From the moment we commit these changes to the firewall, it will now automatically react to detected threats by blocking outbound traffic from the internal addresses with threats associated with them.

This drastically cuts down the time and resources typically associated with responding to these types of threats. More and more of these kinds of capabilities will go a long way in helping organizations better address the threat landscaping they are facing and reduce the impact of incidents in their environment.

For more information on the 8.0 capabilities, you may want to consider attending the Palo Alto Networks Delta 8.0 What’s New With PAN OS 8.0 class.

Our guest blogger Wiley Richardson is a Senior Security Engineer
 and senior instructor at CloudHarmonics, specialized in Palo Alto Networks products, various Software Defined Networking technologies and Cloud Access Brokers solutions. He currently holds PCNSE and CISSP certifications with 27 years of professional experience in various technical, customer facing and leadership positions.