Fastvue Reporter for Palo Alto Networks: Installation and Setup

New Installations
Upgrading Existing Installations
Fastvue Reporter for Palo Alto Networks Installation

1. Download and Install

Download Fastvue Reporter for Palo Alto Networks and install on a machine (or virtual machine) that meets our recommended requirements for your network size.

Note: Fastvue Reporter is a resource-intensive application by design in order to import data and run reports as fast as possible. We do not recommend installing Fastvue Reporter on a server that provides a critical network service such as a Domain Controller, DNS server, or DFS server. We recommend installing on a dedicated VM (virtual machine) so you can scale the resources appropriately.

Fastvue Reporter is designed for 64 bit Windows Server Operating Systems running Windows Server 2012 R2, or above.

The Fastvue Reporter installer will automatically install and configure the required pre-requisites which include .Net 4.6 and IIS (Web Server and Application Server roles). It will also install Open JDK and Elasticsearch in its own self-managed directory.

When installing, you will be asked to select a website to install too. If you are installing on a server with existing websites, we recommend creating a new website in IIS and installing to that. You can also choose to install to a sub-folder of an existing website (such as Default Web Site\Fastvue).

Network Size Recommended Server Specification
Less than 500 Users 4 CPUs/Cores, 6 GB RAM
500 – 1000 Users 4 CPUs/Cores, 8 GB RAM
1000 – 3000 Users 8 CPUs/Cores, 12 GB RAM
3000 – 5000 Users 8 CPUs/Cores, 16 GB RAM
5000+ Users 16 CPUs/Cores, 24 GB RAM

* Virtual environments are recommended so you can scale the resources as required.

During installation, you are asked where you want the Data Location to be. The amount of data stored per day will vary depending on the amount of traffic flowing through your Palo Alto Networks firewall.

The default data retention policy in Fastvue Reporter is 90 days or 90% of drive space, whichever comes first. If 90% of the drive leaves less than 20 GB free, the retention policy will adjust to allow at least 20 GB for Operating System files if the data path is on the same drive as the OS.

These data retention settings can be adjusted in Settings | Data Storage.

We do not advise installing to a network drive due to latency issues affecting the stability of our very frequent read-write operations. For best performance, use a local SSD drive.

Do not install to a mapped network drive, or use a mapped network drive as Fastvue Reporter’s data path, as the assigned drive letters will not exist in the system context – only the user context. If you must use a network drive, specify a UNC path such as \\servername-or-ip\fastvue, but keep in mind the performance issues mentioned above, and you will have to configure ‘full’ permissions for the Fastvue Server’s local system account.

After one or two days of collecting data, check the size estimates in Settings | Data Storage | Settings to see if you need to make adjustments to the data retention policy or your server’s disk space. These estimates become more accurate as data is imported.

To install Fastvue Reporter:

  1. Double-click the downloaded setup exe on a machine that meets the above recommendations
  2. Proceed through the installation wizard to install the software.  The installation wizard will ask you for:
    • Installation folder (defaults to C:\Program Files\Fastvue\Reporter for Palo Alto). Only application files are installed to this folder. It does not require much disk space.
    • Website and Virtual Directory (defaults to ‘Default Web Site’). If you have other websites installed on your server, it is a good idea to install Fastvue Reporter to a virtual directory such as ‘fastvue’ or ‘paloaltoreports’. Then you can access the site at http://yourserver/fastvue for example and it does not interfere with any other site on your server.
    • Data Location (defaults to C:\ProgramData\Fastvue\Reporter for Palo Alto). This is the location where all imported data, configuration and report files are stored. Specify a location with plenty of disk space.
Palo Alto Networks Syslog Server ProfilePalo Alto Networks Log Forwarding ProfilePalo Alto Networks Security Rule Log Settings

2. Configure Palo Alto Networks Firewall’s Syslog Settings

Now that Fastvue Reporter for Palo Alto Networks has been installed, you need to configure your Palo Alto Networks firewalls to send syslog data to the Fastvue server.

  1. On your Palo Alto Networks firewall, select Device | Server Profiles | Syslog.
  2. Click Add and enter a Name for the syslog profile such as Fastvue
  3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  4. Click Add and enter the Fastvue server’s details:
    • Name—Enter a unique name for the server profile such as ‘Fastvue Server’
    • Syslog Server—IP address or fully qualified domain name (FQDN) of the Fastvue server.
    • Transport—Select TCP (UDP also works if required. SSL is not supported at this stage).
    • Port—The port number on which to send syslog messages (default is port 514). You must use the same port number on the Fastvue server when adding your source  (see below). If 514 is already used by another application on the Fastvue server, choose a different port such as 50514.
    • Format—Select BSD (the default).
    • Facility—Select LOG_USER (the default)
  5. Click OK to save the server profile.
  1. Select Objects | Log Forwarding, click Add, and enter a Name to identify the profile.

    If you want the firewall to automatically assign the profile to new security rules and zones, enter default. If you don’t want a default profile, or you want to override an existing default profile, enter a Name that will help you identify the profile when assigning it to security rules and zones, such as ‘Fastvue Forwarding Profile’.

  2. Click Add to add a Log Forwarding Profile Match List
  3. Enter URL Logs as the Name, select url as the Log Type and ensure All Logs is selected as the Filter.
  4. Check the Syslog checkbox and click Add in the Syslog section. Add the Fastvue syslog server you defined earlier. Click OK.
  5. Repeat steps 2 -> 4 for each log type. The main log types Fastvue requires are Traffic, Threat, URL and WildFire.
  6. Click OK to save the settings.

To trigger log generation and forwarding, your Log Forwarding Profile needs to be assigned to all the security policies you want to log/monitor.

    1. Select Policies | Security and select a policy rule such as the rule that allows outbound internet traffic.
    2. Select the Actions tab and select the Log Forwarding profile you created above.
    3. For Traffic logs, select the Log At Session End checkbox, and click OK.

For more information on each of these steps, see the Palo Alto Networks documentation on Configuring Palo Alto Syslog Monitoring.

Set Palo Alto Networks Firewall's URL Categories to Block or Alert

3. Set Palo Alto Networks Firewall’s URL Filtering Categories to Block or Alert

To ensure traffic to all URL Categories is logged:

  1. Go to Objects | URL Filtering and either edit your existing URL Filtering Profile or configure a new one.
  2. Ensure all categories are set to either Block or Alert (or any action other than none).
Palo Alto Networks Enable HTTP Header Logging

4. Enable HTTP Header Logging and Disable “Log Container Page Only”

HTTP Header logging enables the logging of the Referer field which is valuable information for Fastvue’s Site Clean engine.

To enable HTTP Header logging, go to Objects | Security Profiles | Settings and enable User-AgentReferer, and X-Forwaded-For checkboxes under HTTP Header.

While you are in Objects | Security Profiles | Settings, uncheck the Log Container Page Only checkbox. Fastvue Reporter will automatically group all background web resources into the container page, enabling you to access the full log details if needed.

Don’t forget to commit your settings changes!

Monitor Palo Alto Networks Syslog Traffic

5. Add a Source in Fastvue Reporter for Palo Alto Networks

Now that your Palo Alto Networks Firewall is sending Syslog data to the Fastvue Server, you can add the Palo Alto Networks Firewall as a ‘Source’.

This can be done on the start page that is presented after installation, or in Settings | Sources | Add Source.

If your Palo Alto Networks is sending syslog data on port 514, click into the edit box to add a Source and wait a few seconds. The dropdown will auto-populate with your Palo Alto Networks Firewall. Select your Palo Alto Networks firewall from the dropdown and click Add Source.

If your Palo Alto Networks is not sending syslog data on port 514, manually type the IP address of your Palo Alto Networks Firewall (make sure you use IP of the interface the Fastvue Server is connected to), and enter your port. Then click Add Source.

Fastvue Reporter for Palo Alto Networks Live Dashboard

5. Enjoy!

It may take 10-20 seconds before the first records are imported. You can watch the records and dates imported in Settings | Sources. Once records start importing, you can go to the Dashboard tab to see your live network traffic.

Now you can explore all the features of Fastvue Reporter for Palo Alto Networks.

Contact Support
Contact Sales

Upgrading Existing Installations

Backing up Fastvue Reporter for Palo Alto Networks

1. Backup Fastvue Reporter’s Data and Settings

If you want to upgrade your existing installation, we recommend backing up your existing settings and data first. This is as simple as making a full copy of the contents of Fastvue Reporter’s data location, shown in Settings | Data Storage | Settings (default is C:\ProgramData\Fastvue\Reporter for Palo Alto Networks).

Tip: Compress the backup, especially the Data.elastic folder as this can be quite large.

Backup Fastvue Reporter's IIS Settings

2. Backup Custom IIS Settings (if applicable)

If you have secured the Fastvue Reporter website with IIS or applied any other custom settings in IIS directly, you should also backup the web.config file in the website’s directory (usually under c:\inetpub\wwwroot\<fastvuereporter’s site name>). The installer will attempt to also backup and restore this file for you, but this is a good idea just incase there is an issue with the installation.

Fastvue Reporter for Palo Alto Networks Installation

3. Upgrade / Installation

Once your current environment is backed up, download the new installer and run it over the top of your existing installation to upgrade. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).

Note that it can take a few minutes for data to start importing again after upgrades and restarts of the Fastvue Reporter service. You can check the database initialisation progress in Settings | Diagnostic | Database.

Fastvue Reporter for Palo Alto Networks Dashboard

4. Enjoy!

It may take 10-20 seconds before the first records are imported. You can watch the records count in Settings | Sources. Once records start importing, you can go to the Dashboard tab to see your live network traffic.

Now you can test out the many features of Fastvue Reporter for Palo Alto Networks.

Contact Support
Contact Sales