Versions Compared

Old Version 2

changes.mady.by.user Customer Success & Engineering

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
To Use Syslog for Monitoring a Palo Alto Networks firewall, create a Syslog server profile and assign it to the log settings for each log type. Optionally, you can configure the header format used in syslog messages and enable client authentication for syslog over TLSv1.2.

...

You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
  1. Select DeviceServer ProfilesSyslog.
  2. Click Add and enter a Name for the profile.
  3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  4. For each syslog server, click Add and enter the information that the firewall requires to connect to it:
    • Name—Unique name for the server profile.
    • Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server.
    • Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicating with the syslog server. For SSL, the firewall supports only TLSv1.2.
    • Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
    • Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
    • Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
  5. (Optional) To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide .
  6. Click OK to save the server profile.

...

  1. See Step Create a Log Forwarding profile.
    1. Select ObjectsLog Forwarding, click Add, and enter a Name to identify the profile.
    2. For each log type and each severity level or WildFire verdict, select the Syslog server profile and click OK.
  2. See Step Assign the Log Forwarding profile to policy rules and network zones.

...

  1. Select DeviceLog Settings.
  2. For System and Correlation logs, click each Severity level, select the Syslog server profile, and click OK.
  3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog server profile, and click OK.

...

The log data includes the unique identifier of the firewall that generated the log. Choosing the header format provides more flexibility in filtering and reporting on the log data for some Security Information and Event Management (SIEM) servers.
This is a global setting and applies to all Syslog server profiles configured on the firewall.
  1. Select DeviceSetupManagement and edit the Logging and Reporting Settings.
  2. Select the Log Export and Reporting tab and select the Syslog HOSTNAME Format:
    • FQDN (default)—Concatenates the hostname and domain name defined on the sending firewall.
    • hostname—Uses the hostname defined on the sending firewall.
    • ipv4-address—Uses the IPv4 address of the firewall interface used to send logs. By default, this is the MGT interface.
    • ipv6-address—Uses the IPv6 address of the firewall interface used to send logs. By default, this is the MGT interface.
    • none—Leaves the hostname field unconfigured on the firewall. There is no identifier for the firewall that sent the logs.
  3. Click OK to save your changes.

...

Required only if the syslog server uses client authentication. The syslog server uses the certificate to verify that the firewall is authorized to communicate with the syslog server.
Ensure the following conditions are met:
  • The private key must be available on the sending firewall; the keys can’t reside on a Hardware Security Module (HSM).
  • The subject and the issuer for the certificate must not be identical.
  • The syslog server and the sending firewall must have certificates that the same trusted certificate authority (CA) signed. Alternatively, you can generate a self-signed certificate on the firewall, export the certificate from the firewall, and import it in to the syslog server.
  1. Select DeviceCertificate ManagementCertificatesDevice Certificates and click Generate.
  2. Enter a Name for the certificate.
  3. In the Common Name field, enter the IP address of the firewall sending logs to the syslog server.
  4. In Signed by, select the trusted CA or the self-signed CA that the syslog server and the sending firewall both trust.
    The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
  5. Click Generate. The firewall generates the certificate and key pair.
  6. Click the certificate Name to edit it, select the Certificate for Secure Syslog check box, and click OK.

...

Table of Contents

Overview

We are providing you with the steps to integrate your Palo Alto Firewall- Syslog with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.


Need to forward traffic logs from the Palo Alto Networks firewall to a syslog server? For reporting, legal, or practical storage reasons, you may need to get these logs off the firewall onto a syslog server. Follow our step-by-step instructions for success. Forwarding logs to a syslog server involves four major steps:

  • Create a syslog server profile.
  • Create a log forwarding profile.
  • Use the log forwarding profile in your security policy.
  • Commit the changes.

Steps of Configuration:

Step 1. Create a syslog server profile

1. Go to Device > Server Profiles > Syslog

syslog_server_profile.pngImage Added

  • Name: Enter a name for the syslog profile (up to31characters). The name is case-sensitive and must be unique.Use only letters, numbers, spaces, hyphens, and underscores.
  • Location: Enter location.
  • Name: Click Add and enter a name for the syslog server (up to 31characters). The name is case-sensitive andmust be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Syslog Server: Enter the IP address of the syslog server. In our case, it will be the CCE ip address.
  • Transport: Select whether to transport the syslog messages over UDP, TCP, or SSL. In our case, it will be UDP
  • Port: Enter the port number 514 of the syslog server. 
  • Format: Specify the syslog format to use: BSD.
  • Facility: Select one of the Syslog standard values. Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, seeRFC 3164(BSD format) orRFC 5424(IETF format).

syslog_server_profile_2.pngImage Added

Your syslog server profile will now be created, as shown in the example below:

syslog_server_profile_3.pngImage Added

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs.  Custom formats can be configured under

Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format:

custom_log_format.pngImage Added

Step 2. Create a log forwarding profile
Go to Objects > Log forwarding. Click Add.

log_forwarding_profile.pngImage Added

  • Name: Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
  • Click 'OK' to confirm your configuration.

log_forwarding_profile_2.pngImage Added

Your Log Forwarding Profile is now created, as shown in the following example:

log_forwarding_profile_3.pngImage Added

Step 3. Use the log forwarding profile in your security policy

Go to Policies > Security

security_policy.pngImage Added

Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:

security_policy_2.pngImage Added

Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK when you are happy with your configuration:

security_policy_rule.pngImage Added

After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:

security_rule_options.pngImage Added

Step 4. Don't forget to commit your changes when you're finished.

Repeat the same steps for threat logs like we did for traffic here.

Reference Link: 

Traffic Logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK

Threat Logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFfCAK

Verification of configuration

Verification of configuration can be done in two ways:

  • From the Collector-Syslog Server (CCE): This can involve logging into the CCE and checking the configuration settings, testing connectivity and functionality of the various components, and comparing the actual results against the expected or desired outcomes.

  • From the UI: This can involve logging into the user interface and checking the configuration settings, monitoring the logs and flows, and comparing the actual results against the expected or desired outcomes.

Both methods can be used to ensure that the system is properly configured and working as intended.

Using UI

STEP 1:Log in to UI >> SYSTEM

Image Added

STEP 2: >> Logs and flows collection status

Image Added

STEP 3: >>To verify the source device IP from the UI:

  • Log in to the user interface

  • Navigate to the "SYSTEM" section

  • Look for the "SOURCE DEVICE IP"

  • Check the IP address that is displayed

  • Compare the IP address displayed against the expected source device IP

This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..

Image Added