NGFW and GlobalProtect

  • Updated on Mar 5, 2025
  • Published on Jul 26, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Traffic log

pan_firewall_traffic

CSV

S3

Hip Match log

pan_firewall_hip

CSV

S3

Threat log

pan_firewall_threat

CSV

S3

System log

pan_firewall_system

CSV

S3

GlobalProtect log

pan_firewall_globalprotect

CSV

S3

Config log

pan_firewall_config

CSV

S3

Overview

imagePalo Alto Networks is a leading cybersecurity company that provides a wide range of security solutions designed to protect networks, endpoints, and cloud environments. Known for its next-generation firewalls, Palo Alto Networks offers advanced threat prevention, traffic inspection, and secure access. Their product portfolio includes solutions for cloud security, threat intelligence, and endpoint protection, as well as security operations through their Cortex platform. With a focus on automation, machine learning, and AI, Palo Alto Networks helps organizations detect, prevent, and respond to sophisticated cyberattacks while ensuring compliance and minimizing risks across their infrastructure.

Supported data types

Traffic log

Table name: pan_firewall_traffic

Traffic logs on Palo Alto Networks Firewalls record detailed information about the sessions processed by the firewall. These logs are invaluable for security analysis, troubleshooting network issues, and ensuring compliance with organizational policies.

More details

Hip Match log

Table name: pan_firewall_hip

Palo Alto Networks Firewall HIP (Host Information Profile) Match logs are a specific category of logs generated by Palo Alto Networks' firewalls that provide detailed insights into the compliance status of devices connecting to the network against predefined host information profiles. HIP profiles are used to collect information about the security status of a device, such as the presence of antivirus software, disk encryption status, patch levels, and more. When a device attempts to connect to the network, the firewall evaluates the device against these profiles to determine if it meets the organization's security requirements.

More details

Threat log

Table name: pan_firewall_threat

These logs are specifically designed to provide detailed information about potential security threats detected by the firewall, helping organizations to quickly identify, analyze, and respond to various types of malicious activities and vulnerabilities in their network traffic.

More details

System log

Table name: pan_firewall_system

These logs are essential for monitoring system activities, identifying issues, and ensuring the firewall is functioning optimally to protect the network against threats. The system logs capture events related to the firewall's internal processes, including configuration changes, system errors, administrative access, and other system-related activities.

More details

GlobalProtect log

Table name: pan_firewall_globalprotect

GlobalProtect logs are specifically related to the GlobalProtect VPN service, which provides secure remote access to an organization's network. These logs are crucial for monitoring, troubleshooting, and ensuring the security and integrity of remote access connections.

More details

Config log

Table name: pan_firewall_config

Config logs record all changes made to the firewall's configuration settings. Whenever an administrator makes a change via the web interface, CLI, or API, the action is logged. This includes changes to security policies, network configurations, device settings, and more.

More details

Send data to Hunters

📘Note

Onboarding this data source requires the help of Hunters Support. Once you've completed the setup stages, contact Hunters Support using this form.

Prerequisites

⚠️ Known timezone issues

Palo Alto Networks firewall does not include the timezone as part of the timestamp in the log by design. For example, if your Firewall is set to 8:00:00 EST, then the time in the syslog will be 8:00:00 (without the EST timezone). By default, Hunters treats timezone-free timestamps as they were in UTC.

In order to overcome this issue and let Hunters infer the correct timestamp, you are required to change the time settings of the device itself. As answered in PAN LiveCommunity this change will not affect active sessions. The time zone is used in display of information and in log events generated.

Note: If you are forwarding logs from a few devices, you are required to perform this change on all of them.

  • Set up a syslog server that will capture logs coming from PAN devices.

  • Set a unique TCP port for each data type you're interested in. For example if traffic, threat and system logs are about to be shipped, verify your syslog server expects to receive them from ports: 5140, 5141, 5142 and transmit them to different folders on S3.

1. Exporting Logs from Appliances to S3

These instructions assume that your firewall has a basic configuration applied and you can connect to it.

Step 1 - Configure management logging

  1. Log into your firewalls management interface.

  2. Click on the Devices tab, then on the left hand side menu click Server Properties > Syslog.
    imageA Syslog Server Profile dialog box will appear.

  3. You can either add a new configuration or modify an existing one to add the new syslog destination as below:

    1. Type a configuration name in the name field.

    2. Click Add.
      image

    3. Enter the syslog server name in the name field.

    4. Enter the syslog server IP address or FQDN into the Syslog Server field.

    5. Enter the transport type in the Transport field (UDP, TCP, TLS).

    6. Enter the proper port for your syslog receiver.

    7. At the format field, enter IETF format if you are using the fluentd configuration snippet below.

    8. Enter the proper facility. The default of LOG_USER is the default.

    9. Click on the OK button to complete the configuration.

  4. To utilize the new syslog profile or one that you currently have, click on Log Settings and add the profile that should be used. Click the Add button to add the profile.
    image

  1. This is an example of how to configure the firewall to send system related events to your new syslog destination. Once the configuration is complete click OK.
    image

  1. Create another profile like the one above for HIP Match.
    image

  1. Click on Objects > Log Forwarding, and then click Add.
    image

  1. A Log Forwarding Profile for Threat Based Logs. Once complete click OK.
    image

  1. A Log Forwarding Profile for Traffic Based Logs. Once complete click on OK.
    image

  1. Once this is complete, please commit the configuration to your firewall.

Step 2 - Fluentd Source Configuration

Please make sure to set the port value in the configuration below.

<source>
 @type syslog
 port {{Set to a valid port value}}
 bind 0.0.0.0
 @log_level trace
 frame_type octet_count
 <parse>
  @type syslog
   message_format rfc5424
   rfc5424_time_format %FT%T%:z
   with_priority true
 </parse>
 <format>
   @type single_value
 </format>
 <transport tcp>
 </transport>
 tag default_syslog
</source>

It is required to set the parse section as detailed above. We have configured fluentd to expect RFC 5424 formatted messages with the required time format and the priority set.

2. Bringing logs from S3 to Hunters

Onboarding this data source requires the help of Hunters Support. Once you've completed the setup stages, contact Hunters Support using this form.

Expected format

Hunters expects PAN log files to be csv-formatted. The following is an example of a typical traffic log:

1,2020/01/25 15:28:37,1234C543298CA52,TRAFFIC,start,2305,2020/01/25 15:28:37,
10.120.94.200,172.217.3.121,10.104.12.123,172.217.3.121,in-to-out_internet,
xxx\yyy,,quic,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,org-syslog-log-fw,
2020/01/25 15:28:37,2061061,1,54388,443,19179,443,0x400000,udp,allow,1392,1392,
0,1,2020/01/25 15:28:40,0,any,0,8652125730,0x0,10.0.0.0-10.255.255.255,United States,
0,1,0,n/a,0,0,0,0,,aws-pa300-fw2,from-policy,,,0,,0,,N/A,0,0,0,0,2ecd13fd-4b56
-40af-93e1-2658e29ac007,0,0,,,,,,,

The following is the list of the headers alligned with this sample:

future_use_1,receive_time,firewall_serial_number,type,threat_content_type,future_use_2,generated_time,virtual_system,event_id,stage,authentication_method,tunnel_type,source_user,source_region,machine_name,public_ip,public_ip_v6,private_ip,private_ip_v6,host_id,machine_serial_number,client_version,client_os,client_os_version,repeat_count,reason,error,description,status,location,login_duration,connect_method,error_code,portal,sequence_number,action_flags

To achieve this result, be sure to set the PAN log format to non-customized and configure the syslog forwarder so that it saves the logs exactly as received.