Use this section of the interface to modify the following options:
• Log storage quotas for a firewall (Device > Setup > Management).
• Log storage quotas for a Panorama virtual appliance or an M-100 appliance in Panorama mode (Panorama > Setup > Management).
Note: To configure the quotas for each log type on an M-100 appliance in log collector mode, select Panorama
> Collector Groups > General and select the Log Storage link. See “Installing a Software Update on a Collector”.
• Attributes for calculating and exporting user activity reports.
• Predefined reports created on the firewall/Panorama.
Table 1. Management Settings (Continued)
Item Description
Log Storage subtab (The PA-7050 firewall has Log Card Storage and Management Card Storage tabs)
Specify the percentage of space allocated to each log type on the hard disk.
When you change a percent value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears on the page in red, and an error message appears when you attempt to save the settings. If this occurs, readjust the percentages so the total is within the 100% limit.
Click OK to save settings and Restore Defaults to restore all of the default settings.
The PA-7050 firewall stores logs in the Log Processing Card (LPC) and Switch Management Card (SMC), and so divides log quotas into these two areas. The Log Storage tab has quota settings for data type traffic stored on the LPC (for example, traffic and threat logs). The Management Card Storage has quota settings for management type traffic stored on the SMC (for example, the config logs, system logs, and alarms logs).
Note: When a log reaches the maximum size, the firewall starts overwriting the oldest log entries with the new log entries. If you reduce a log size, the firewall removes the oldest logs when you commit the changes.
Table 1. Management Settings (Continued)
Item Description
Log Export and Reporting subtab
Number of Versions for Config Audit—Enter the number of
configuration versions to save before discarding the oldest ones (default 100). You can use these saved versions to audit and compare changes in configuration.
Max Rows in CSV Export—Enter the maximum number of rows that will appear in the CSV reports generated from the Export to CSV icon in the traffic logs view (range 1-1048576, default 65535).
Max Rows in User Activity Report—Enter the maximum number of rows that is supported for the detailed user activity reports (1-1048576, default 5000).
Number of Versions for Config Backups—(Panorama only) Enter the number of configuration backups to save before discarding the oldest ones (default 100).
Average Browse Time (sec)—Configure this variable to adjust how browse time is calculated in the “User Activity Report”.
The calculation will ignore sites categorized as web advertisements and content delivery networks. The browse time calculation is based on container pages logged in the URL filtering logs. Container pages are used as the basis for this calculation because many sites load content from external sites that should not be considered. For more information on the container page, see “Container Pages”.
The average browse time setting is the average time that the admin thinks it should take a user to browse a web page. Any request made after the average browse time has elapsed will be considered a new browsing activity. The calculation will ignore any new web pages that are loaded between the time of the first request (start time) and the average browse time. This behavior was designed to exclude any external sites that are loaded within the web page of interest.
Example: If the average browse time setting is 2 minutes and a user opens a web page and views that page for 5 minutes, the browse time for that page will still be 2 minutes. This is done because there is no way to determine how long a user views a given page.
(Range 0-300 seconds, default 60 seconds)
Page Load Threshold (sec)—This option allows you to adjust the assumed time it takes for page elements to load on the page. Any request that occurs between the first page load and the page load threshold is assumed to be elements of the page. Any requests that occur outside of the page load threshold is assumed to be the user clicking a link within the page. The page load threshold is also used in the calculations for the
“User Activity Report”.
(Range 0-60 seconds, default 20 seconds)
Syslog HOSTNAME Format—Select whether to use the FQDN, hostname, IP address (v4 or V6) in the syslog message header; this header identifies the firewall/Panorama from which the message originated.
Stop Traffic when LogDb full— Select the check box if you want traffic through the firewall to stop when the log database is full (default off).
Table 1. Management Settings (Continued)
Item Description
Enable Log on High DP Load—Select this check box if you would like a system log entry generated when the packet processing load on the firewall is at 100% CPU utilization.
A high CPU load can cause operational degradation because the CPU does not have enough cycles to process all packets. The system log alerts you to this issue (a log entry is generated each minute) and allows you to investigate the probable cause.
Disabled by default.
(Only on Panorama) Buffered Log Forwarding from Device—Allows the firewall to buffer log entries on its hard disk (local storage) when it loses connectivity to Panorama. When the connection to Panorama is restored, the log entries are forwarded to Panorama; the disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the available space is consumed, the oldest entries are deleted to allow logging of new events.
Enabled by default.
Get Only New Logs on Convert to Primary—This option is only applicable when Panorama writes logs to a Network File Share (NFS).
With NFS logging, only the primary Panorama is mounted to the NFS.
Therefore, the firewalls send logs to the active primary Panorama only.
This option allows an administrator to configure the managed firewalls to only send newly generated logs to Panorama when an HA failover occurs and the secondary Panorama resumes logging to the NFS (after it is promoted as primary).
This behavior is typically enabled to prevent the firewalls from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time.
Only Active Primary Logs to Local Disk—Allows you to configure only the active primary Panorama to save logs to the local disk.
This option is valid for a Panorama virtual machine with a virtual disk and to the M-100 appliance in Panorama mode.
Pre-Defined Reports—Pre-defined reports for application, traffic, threat, and URL Filtering are available on the firewall and on Panorama. By default, these pre-defined reports are enabled.
Because the firewalls consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage you can disable the reports that are not relevant to you; to disable a report, clear the check box for the report.
Use the Select All or Deselect All options to entirely enable or disable the generation of pre-defined reports.
Note: Before disabling a report make sure that the report is not included in a Group Report or a PDF Report. If a pre-defined report is part of a set of reports and it is disabled, the entire set of reports will have no data.