5 Ways to Monitor Activity at Palo Alto Firewalls

Palo Alto firewalls provide intelligence about user patterns and traffic to speed up incident response. They offer informative and customizable reports. Monitoring activity on the network can be done using reports, logs and the dashboard.
You can monitor logs and filter the information to create reports with custom or predefined views. A user can use predefined templates to generate reports and logs that interpret unusual behavior in networks.
The dashboard and ACC are visual displays of network activities that include widgets, charts, and tables that can be interacted with while searching for important information.
This post will discuss five key methods to monitor traffic and activities on Palo Alto firewalls.
1. Use the Dashboard to Display Firewall Information
The tab widgets in the dashboard display general firewall information such as operational status in each interface, software versions and the utilization of resources. They also show the 10 most recent entries to the system logs, configuration, threats, and the 10 oldest entries in the system logs. All available widgets are displayed by default. However, administrators can add or remove widgets as needed. You can update a widget or the entire dashboard by clicking the refresh icon. You can also schedule automatic refresh intervals for between 1 and 5 minutes.
The dashboard charts include top apps, top high-risk apps, general information, threat logs and configuration logs. They also include URL filtering logs and URL filtering logs. System logs include system resources, logged in admins, ACC risk factors, high availability, locks, and URL filtering logs.
Top applications have the most session records and a security risk index that ranges between lowest (green) and highest (red). High-risk applications are those with the most sessions.
A dashboard allows users to see the model, firewall name and application. They can also see the current date and times, URL filtering definitions versions and the time since the restart. Interface status is a way to tell if an interface is green, red, or unknown.
Threat logs show applications, threat ID, date/time, and the last 10 entries to threat logs. System logs include configuration logs, URL filtering and data filtering logs. They also record the last 10 entries and/or 60 minutes.
System resources display data plane storage, management CPU use, and the session count established through firewall. Logged in admins display session type (CLI/Web), source IP address and session start times for each administrator currently logged into.

2. Application Command Center: Traffic Patterns
Application Command Center (ACC), is an interactive graphical summary that shows users, applications, threats and URLs as well as the content traversing the network. The command center uses firewall logs to provide visibility into traffic patterns and offer actionable information about threats.
This graphical representation allows users to interact with data and visualise the relationships between events on a network. It can be used to identify anomalies or to devise ways to improve network security rules. To personalize the view of a network, users can add tabs to customize the view and include widgets that contain the most important information.
ACC can include many different widgets such as network activity, application usage and user activity. It also includes source IP activity and destination IP activity. This is just the beginning!
ACC allows you to view firewall logs and see patterns in network traffic. It has three tabs that allow you to view network traffic, threat activities, and blocked activity. You can also drill down to see each graph.