The Palo Alto Networks security platform must back up audit records at least every seven days onto a different system or system component than the system or component being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62715	PANW-NM-000042	SV-77205r1_rule		Low

Description
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly forwarding logs to a syslog server helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This requirement is met by configuring the Palo Alto Networks security platform to forward logs to a syslog server or a Panorama network security management server. Note that the syslog server(s) must be backed up regularly, but that is not the focus of this requirement.

Description

Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly forwarding logs to a syslog server helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This requirement is met by configuring the Palo Alto Networks security platform to forward logs to a syslog server or a Panorama network security management server. Note that the syslog server(s) must be backed up regularly, but that is not the focus of this requirement.

STIG	Date
Palo Alto Networks NDM Security Technical Implementation Guide	2019-12-20

Details

Check Text ( C-63521r1_chk )
Check if there is a Syslog Server profile. Go to Device >> Server Profiles >> Syslog If there are no profiles listed in the "Servers" window, this is a finding. Check if log forwarding is enabled for the Traffic Log and Threat Log. Go to Objects >> Log forwarding If the "Syslog" field does not list the Syslog Server profile for the Traffic Log, this is a finding. If the "Syslog" field does not list the Syslog Server profile for all of the Severity levels of the Threat Log, this is a finding. Check if log forwarding is enabled for the Configuration Log. Go to Device >> Log Settings >> Config In the "Log Settings - Config" pane. If the "Syslog" field does not display the Syslog Server profile, this is a finding. Check if log forwarding is enabled for the System Log. Go to Device >> Log Settings >> System The list of severity levels is displayed. If the "Syslog Profile" field does not display the Syslog Server profile for each Severity level (except "informational"), this is a finding.

Check Text ( C-63521r1_chk )

Check if there is a Syslog Server profile.
Go to Device >> Server Profiles >> Syslog
If there are no profiles listed in the "Servers" window, this is a finding.

Check if log forwarding is enabled for the Traffic Log and Threat Log.
Go to Objects >> Log forwarding
If the "Syslog" field does not list the Syslog Server profile for the Traffic Log, this is a finding.

If the "Syslog" field does not list the Syslog Server profile for all of the Severity levels of the Threat Log, this is a finding.

Check if log forwarding is enabled for the Configuration Log.
Go to Device >> Log Settings >> Config
In the "Log Settings - Config" pane.
If the "Syslog" field does not display the Syslog Server profile, this is a finding.

Check if log forwarding is enabled for the System Log.
Go to Device >> Log Settings >> System
The list of severity levels is displayed.
If the "Syslog Profile" field does not display the Syslog Server profile for each Severity level (except "informational"), this is a finding.

Fix Text (F-68635r1_fix)
Configuring the Palo Alto Networks security platform to forward logs to a syslog server depends on which log it is. Create a Syslog Server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the "Syslog Server Profile", enter the name of the profile; select "Add". In the "Servers" tab, enter the required information: Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". Enable log forwarding for the Traffic Log and Threat Log. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding Select "Add". The "Log Forwarding Profile" window appears. Note that it has five columns. Traffic Settings - in the "Syslog" column, select the "Syslog Server Profile". Threat Settings - select the severity levels that will be sent to the syslog server; for each selected level, select the Syslog Server Profile. Enable log forwarding for the Configuration Log. Go to Device >> Log Settings >> Config Select the "Edit" icon (the gear symbol in the upper-right corner of the pane) In the "Log Settings - Config" window, in the "Syslog" drop-down box, select the configured server profile Select "OK". Enable log forwarding of System Log: Go to Device >> Log Settings >> System The list of severity levels is displayed. Select a Server Profile for each severity level to forward. The "informational" severity level is optional; all others are mandatory. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured server profile. Select "OK". For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules: Go to Policies >> Security Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to "Actions" tab; in the "Log forwarding" field, select the log forwarding profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Fix Text (F-68635r1_fix)

Configuring the Palo Alto Networks security platform to forward logs to a syslog server depends on which log it is.
Create a Syslog Server profile:
Go to Device >> Server Profiles >> Syslog
Select "Add".
In the "Syslog Server Profile", enter the name of the profile; select "Add".

In the "Servers" tab, enter the required information:
Name: Name of the syslog server
Server: Server IP address where the logs will be forwarded to
Port: Default port 514
Facility: Select from the drop down list
Select "OK".

Enable log forwarding for the Traffic Log and Threat Log. Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding
Select "Add".
The "Log Forwarding Profile" window appears. Note that it has five columns.
Traffic Settings - in the "Syslog" column, select the "Syslog Server Profile".
Threat Settings - select the severity levels that will be sent to the syslog server; for each selected level, select the Syslog Server Profile.
Enable log forwarding for the Configuration Log.
Go to Device >> Log Settings >> Config
Select the "Edit" icon (the gear symbol in the upper-right corner of the pane)
In the "Log Settings - Config" window, in the "Syslog" drop-down box, select the configured server profile
Select "OK".

Enable log forwarding of System Log:
Go to Device >> Log Settings >> System
The list of severity levels is displayed. Select a Server Profile for each severity level to forward. The "informational" severity level is optional; all others are mandatory.
Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear.
In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured server profile.
Select "OK".

For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules:
Go to Policies >> Security
Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.
Go to "Actions" tab; in the "Log forwarding" field, select the log forwarding profile.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.