Palo Alto firewalls

The following sections show you how to configure Palo Alto Networks Next-Generation Firewall devices to send their log data to Axoflow.

CAUTION:

Make sure to set data forwarding as described in this guide. Different setting like other message format or port might be valid, but can result in data loss or incorrect parsing.

Prerequisites

  • You have administrative access to the firewall.
  • The date, time, and time zone are correctly set on the firewall.
  • You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
  • You know the IP address the AxoRouter. To find it:

    1. Open the Axoflow Console.
    2. Select the Hosts or the Topology page.
    3. Click on AxoRouter instance that is going to receive the logs.
    4. Check the Networks > Address field.

Steps

Note: The steps involving the Palo Alto Networks Next-Generation Firewall user interface are just for your convenience, for details, see the official PAN-OS® documentation.

  1. Log in to your firewall device. You need administrator privileges to perform the configuration.

  2. Configure a Syslog server profile.

    1. Select Device > Server Profiles > Syslog.

    2. Click Add and enter a Name for the profile, for example, axorouter.

    3. Configure the following settings:

      • Syslog Server: Enter the IP address of your AxoRouter: %axorouter-ip%
      • Transport: Select TCP or TLS.
      • Format: Select IETF.
      • Syslog logging: Enable this option.
    4. Click OK.

  3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs. For details, see Configure Log Forwarding the official PAN-OS® documentation.

    1. Select Objects > Log Forwarding.
    2. Click Add.
    3. Enter a Name for the profile, for example, axoflow.
    4. For each log type, severity level, or WildFire verdict, select the Syslog server profile.
    5. Click OK.
    6. Assign the log forwarding profile to a security policy to trigger log generation and forwarding.
    7. Select Policies > Security and select a policy rule.
    8. Select Actions, then select the Log Forwarding profile you created (for example, axoflow).
    9. For Traffic logs, select one or both of the Log at Session Start and Log At Session End options.
    10. Click OK.
  4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.

    1. Select Device > Log Settings.
    2. For System and Correlation logs, select each Severity level, select the Syslog server profile, and click OK.
    3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog server profile, and click OK.
  5. Click Commit.

  6. Add the appliance to the Axoflow Console. For details, see Appliances.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label value
vendor pan
product paloalto

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype index
pan:audit netops
pan:globalprotect netfw
pan:hipmatch epintel
pan:traffic netfw
pan:threat netproxy
pan:system netops

Tested with: Palo Alto Networks Add-on for Splunk technical add-on