Versions Compared

Old Version 11

changes.mady.by.user Customer Success & Engineering

Saved on

compared with

New Version 12

changes.mady.by.user Customer Success & Engineering

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview:


Need to forward traffic logs from the Palo Alto Networks firewall to a syslog server? For reporting, legal, or practical storage reasons, you may need to get these logs off the firewall onto a syslog server. Follow our step-by-step instructions for success. Forwarding logs to a syslog server involves four major steps:

  • Create a syslog server profile.
  • Create a log forwarding profile.
  • Use the log forwarding profile in your security policy.
  • Commit the changes.

Steps of Configuration:

Step 1. Create a syslog server profile

1. Go to Device > Server Profiles > Syslog

syslog_server_profile.pngImage Modified

  • Name: Enter a name for the syslog profile (up to31characters). The name is case-sensitive and must be unique.
        Use only letters, numbers, spaces, hyphens, and underscores.
  • Location: Enter location.
  • Name: Click Add and enter a name for the syslog server (up to 31characters). The name is case-sensitive and
        must andmust be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Syslog Server: Enter the IP address of the syslog server. In our case, it will be the CCE ip address.
  • Transport: Select whether to transport the syslog messages over UDP, TCP, or SSL. In our case, it will be UDP
  • Port: Enter the port number 514 of the syslog server. 
  • Format: Specify the syslog format to use: BSD.
  • Facility: Select one of the Syslog standard values. Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, seeRFC 3164(BSD format) orRFC 5424(IETF format).

syslog_server_profile_2.pngImage Modified

Your syslog server profile will now be created, as shown in the example below:

syslog_server_profile_3.pngImage Modified

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs.  Custom formats can be configured under

Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format:

custom_log_format.pngImage Modified

Step 2. Create a log forwarding profile
Go to Objects > Log forwarding. Click Add.

log_forwarding_profile.pngImage Modified

  • Name: Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
  • Click 'OK' to confirm your configuration.

log_forwarding_profile_2.pngImage Modified

Your Log Forwarding Profile is now created, as shown in the following example:

log_forwarding_profile_3.pngImage Modified

Step 3. Use the log forwarding profile in your security policy

Go to Policies > Security

security_policy.pngImage Modified

Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:

security_policy_2.pngImage Modified

Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK when you are happy with your configuration:

security_policy_rule.pngImage Modified

After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:

security_rule_options.pngImage Modified

Step 4. Don't forget to commit your changes when you're finished.

Repeat the same steps for threat logs like we did for traffic here.

...

Threat Logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFfCAK

Verification of configuration

Verification of configuration can be done

...

Using CCE

Run the command : sudo tcpdump -i any port 514 and host <IP address>

Using UI

...

Go on UI >> Systems

...

>>Logs and Flows collection Status

...

in two ways:

  • From the Collector-Syslog Server (CCE): This can involve logging into the CCE and checking the configuration settings, testing connectivity and functionality of the various components, and comparing the actual results against the expected or desired outcomes.

  • From the UI: This can involve logging into the user interface and checking the configuration settings, monitoring the logs and flows, and comparing the actual results against the expected or desired outcomes.

Both methods can be used to ensure that the system is properly configured and working as intended.

Using UI

STEP 1:Log in to UI >> SYSTEM

Image Added

STEP 2: >> Logs and flows collection status

Image Added

STEP 3: >>To verify the source device IP from the UI:

  • Log in to the user interface

  • Navigate to the "SYSTEM" section

  • Look for the "SOURCE DEVICE IP"

  • Check the IP address that is displayed

  • Compare the IP address displayed against the expected source device IP

This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..

Image Added