TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: Palo Alto
SUMMARY: Configuration Guide for Palo Alto firewalls
Device Configuration Checklist
This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Firewall guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.
Vendor Information
Vendor | Palo Alto Networks |
Supported Model Name/Number | Next-Generation Firewall |
Supported Software Version(s) | PAN-OS 10.1, PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1 |
Collection Method | Syslog |
Provider Name | Syslog-PaloAlto |
Additional Information |
Device Configuration Checklist
- Configure a Syslog server profile
- From the Palo Alto Console, select Device > Server Profiles > Syslog
- Click Add and enter a Name for the profile. For example, Huntress-SIEM.
- Add a Syslog Server (Huntress Agent) to the Server Profile
- In the Syslog Server Profile click Add and provide the following information:
- Name - Name or IP of Huntress Agent host
- Syslog Server - IP or FQDN of the Huntress Agent
- Transport - UDP
- Port - 514
- Format - IETF
- Facility - LOG_USER (default)
- Click OK to save the server profile
- In the Syslog Server Profile click Add and provide the following information:
- Configure syslog forwarding for Traffic, Threat, Wildfire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
- Create the Syslog Forwarding Profile
- From the Palo Alto Console, select Objects > Log Forwarding
- Click Add and enter a Name for the Log Forwarding Profile.
- If it is desired that this profile be assigned to all new security rules and zones, enter “default”. If this is not desired or you don’t want to override the default profile, enter a unique name.
- For each Severity and Wildfire Verdict select the Syslog Server Profile created above in the Syslog column
- Click OK
- Assign the Syslog Forwarding Profile to the Security Policy
- From the Palo Alto Console, select Policies > Security
- For each rule in the Security Policy do the following:
- Click on the rule name
- Go to the Actions tab
- Check the box for “Log at Session End”
- Under Log Setting and Log Forwarding, choose the Syslog Forwarding Profile created above
- Create the Syslog Forwarding Profile
- Configure syslog forwarding for System, Configuration, Correlation, GlobalProtect, HIP Match, and User-ID logs.
- From the Palo Alto Console, select Device > Log Settings
- For System and Correlation logs, click each Severity level, select the Syslog Server Profile created above, and click OK.
- For Config, HIP Match, and Correlation logs, edit the section, select the Syslog Server Profile created above, and click OK.
- Commit changes.
- Click Commit to push config changes.
Example Log Messages
Traffic Log Message
<14>1 2021-11-30T15:54:05-05:00 logsourcehost appname - - - 1,2021/10/13 05:47:22,123456789,TRAFFIC,deny,2561,2021/10/13 05:47:22,10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5,OS Blocked Apps,,,slack-base,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Syslog forwarding,2021/10/13 05:47:22,12251,1,62883,443,25341,443,0x404400,tcp,reset-both,763,697,66,4,2021/10/13 05:47:20,1,internet-communications-and-telephony,,7017083028182608905,0x0,10.0.0.0-10.255.255.255,United Kingdom,,3,1,policy-deny,0,0,0,0,,FW1,from-application,,,0,,0,,N/A,0,0,0,0,36ba66bd-fef3-44fe-82b6-a817547e4c1d,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-10-13T05:47:22.926+01:00,,,instant-messaging,saas,browser-based,2,"able-to-transfer-file,has-known-vulnerability,is-saas,is-hipaa,is-soc2,is-ip-based-restrictions",slack,slack-base,yes,no,0
Threat URL Log Message
<14>1 2021-11-30T15:54:05-05:00 logsourcehost appname - - - 1,2021/10/13 05:51:20,123456789,THREAT,url,2561,2021/10/13 05:51:20,10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5,Server to Internet - Approved apps,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Syslog forwarding,2021/10/13 05:51:20,70928,1,52551,80,18355,80,0x40f000,tcp,alert,"www.roke.co.uk/pki/Commercial%20CA(8).crt/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSzwE/DuL2Vw2iz2XiE0TpwhE0P2QQUQgcVZG9M1QoENJLj7xfC8euUQ8sCExkAAem7YxFZv0YZM0wACAAB6bs=",(9999),business-and-economy,informational,client-to-server,7017083032376914159,0x0,10.0.0.0-10.255.255.255,United Kingdom,,text/html,0,,,1,,,,,,,,0,0,0,0,0,,FW1,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"business-and-economy,low-risk",d0f0b050-1baf-43db-881e-082cb377b223,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-10-13T05:51:20.491+01:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no