# Palo Alto firewalls

Palo Alto firewalls: Firewall operating system delivering network security features including traffic control and threat prevention. 

The following sections show you how to configure [Palo Alto Networks Next-Generation Firewall](<https://www.paloaltonetworks.com/network-security/next-generation-firewall>) devices to send their log data to Axoflow.

**CAUTION:**

Make sure to set data forwarding on your appliances/servers as described in this guide. Different settings like alternate message formats or ports might be valid, but can result in data loss or incorrect parsing. 

## Prerequisites

  * You have administrative access to the firewall.
  * The date, time, and time zone are correctly set on the firewall.
  * You have an [AxoRouter deployed and configured](../../../../docs/axoflow/provisioning/axorouter/index.md) with a [Syslog connector](../../../../docs/axoflow/data-sources/syslog/index.md) that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall. 
  * You know the IP address the AxoRouter. To find it:

    1. Open the AxoConsole.
    2. Select the **Routers** or the **Topology** page.
    3. Select on AxoRouter instance that is going to receive the logs.
    4. Check the **Networks > Address** field.



## Steps

Note: The steps involving the Palo Alto Networks Next-Generation Firewall user interface are just for your convenience, for details, see the [official PAN-OS® documentation](<https://docs.paloaltonetworks.com/pan-os>).

  1. Log in to your firewall device. You need administrator privileges to perform the configuration.

  2. Configure a Syslog server profile.

     1. Select **Device > Server Profiles > Syslog**.

     2. Click **Add** and enter a **Name** for the profile, for example, `axorouter`.

     3. Configure the following settings:

        * **Syslog Server** : Enter the IP address of your AxoRouter: `%axorouter-ip%`
        * **Transport** : Select **TCP** or **TLS**. 
        * **Port** : Set the port to `601`. (This is needed for the recommended IETF log format. If for some reason you need to use the BSD format, set the port to `514`.)
        * **Format** : Select **IETF**.
        * **Syslog logging** : Enable this option.
     4. Click **OK**.

  3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs. For details, see Configure Log Forwarding the [official PAN-OS® documentation](<https://docs.paloaltonetworks.com/pan-os>).

     1. Select **Objects > Log Forwarding**.
     2. Click **Add**.
     3. Enter a **Name** for the profile, for example, `axoflow`.
     4. For each log type, severity level, or WildFire verdict, select the **Syslog** server profile.
     5. Click **OK**.
     6. Assign the log forwarding profile to a security policy to trigger log generation and forwarding.
     7. Select **Policies > Security** and select a policy rule.
     8. Select **Actions** , then select the **Log Forwarding** profile you created (for example, `axoflow`).
     9. For Traffic logs, select one or both of the **Log at Session Start** and **Log At Session End** options.
     10. Click **OK**.
  4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.

     1. Select **Device > Log Settings**.
     2. For System and Correlation logs, select each Severity level, select the **Syslog** server profile, and click **OK**.
     3. For Config, HIP Match, and Correlation logs, edit the section, select the **Syslog** server profile, and click **OK**.
  5. Click **Commit**.

  6. Add the source to AxoConsole.

     1. Open the AxoConsole and select **Topology**.

     2. Select **Add Item > Source**.

![Add Source](/docs/axoflow/img/add-source.png)

        * If the source is actively sending data to an AxoRouter instance, select **Detected** , then select your source.

        * Otherwise, select the vendor and product corresponding to your source from the **Predefined** sources, then enter the parameters of the source, like **IP address** and **FQDN**.

![Add Source parameters](/docs/axoflow/img/add-source-config.png)

Note During [log tapping](../../../../docs/axoflow/onboard-hosts/log-tapping/index.md), you can add hosts that are actively sending data to an AxoRouter instance by clicking **Register source**. 

     3. (Optional) Add [custom labels](../../../../docs/axoflow/onboard-hosts/hosts/add-host-metadata/index.md) as needed.

     4. Select **Add**.

     5. (Optional) **Add Path** manually. That’s needed only when AxoConsole can’t detect the path based on the IP address and the FQDN, and you haven’t yet configured the source to send data to the router.




## Labels

Axoflow automatically adds the following labels to data collected from this source:

Analytics label | Message field | value  
---|---|---  
`vendor` | [`meta.vendor`](../../../../docs/axoflow/reference/message-schema/reference/index.md#meta.vendor) | `palo-alto-networks`  
`product` | [`meta.product`](../../../../docs/axoflow/reference/message-schema/reference/index.md#meta.product) | `panos`  
  
You can use the labels as:

  * **Filter labels** on the [Analytics page](../../../../docs/axoflow/metrics/analytics/index.md),
  * in the **Filter By Label** field during [log tapping](../../../../docs/axoflow/onboard-hosts/log-tapping/index.md).



You can use the message fields

  * in [Flow Processing steps](../../../../docs/axoflow/data-management/processing/index.md), for example, in the **Query** field of **Select Messages** steps,
  * in AQL expressions in the search bars.



## Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype | index  
---|---  
`pan:audit` | `netops`  
`pan:globalprotect` | `netfw`  
`pan:hipmatch` | `epintel`  
`pan:traffic` | `netfw`  
`pan:threat` | `netproxy`  
`pan:system` | `netops`  
  
Tested with: [Palo Alto Networks Add-on for Splunk technical add-on](<https://splunkbase.splunk.com/app/2757/>)

If the Axoflow classification doesn’t set the source field for the message automatically, and you haven’t set it in a [flow processing step](../../../../docs/axoflow/data-management/processing/index.md#set-fields) manually (by setting the `meta.destination.splunk.source` field), AxoRouter automatically sets the source to the [name of the AxoRouter connector](../../../../docs/axoflow/reference/message-schema/reference/index.md#meta.connector.name) that received the message (for example, `axorouter-syslog-tcp-514`).

## Sending data to Google SecOps

When sending the data collected from this source to a [_dynamic_ Google SecOps destination](../../../../docs/axoflow/destinations/google/secops/index.md), Axoflow sets the following log type: `PAN_FIREWALL`.

## Sending data to Microsoft Sentinel

When sending the data collected from this source to a [Microsoft Sentinel destination](../../../../docs/axoflow/destinations/microsoft/sentinel/index.md), Axoflow normalizes the data and sends it to the following table: `CommonSecurityLog`.