Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Overview

We are providing you with the steps to integrate your Watchguard Firewall with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.

Steps Of Configuration

The following steps describe how to configure the Netflow Server Profile:

  1. Go to Device > Server Profiles > Netflow

  2. Click Add to bring up the Netflow Server Profile

  3. Add a Name for the Netflow settings

  4. Click Add and fill the Name (name to identify the server) and Server (host name or IP address of the server) field

  5. The port is automatically populated as 2055. Please make sure to change it to 9995 by editing it, as shown below

The profile can be assigned to an existing Palo Alto Networks firewall interface, so that all traffic flowing over that interface is exported to the specified server above.

To assign the profile created above to the interface, follow the steps below:

  1. Click on Network > Interfaces, go to either Ethernet, VLAN, Loopback or Tunnel tabs

  2. Select any interface and assign the above created Netflow Server Profile ( Netflow_Profile1) in the Netflow Profile field

Commit changes

Note :

PAN-OS 6.0 and after:

NetFlow works with logical sub-interface and can be exported directly.

Prior to PAN-OS 6.0:

NetFlow data cannot be exported on a per-subinterface basis. Data can only be exported using physical ingress and egress interface numbers.

Reference Link: 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJzCAK

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Log in to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.

  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com