Palo Alto Networks
This article explains how to connect your Palo Alto Networks appliance to Hunters.
Supported data types
- Traffic log - For schema details click here.
- Hip Match log - For schema details click here.
- Threat log - For schema details click here.
- System log - For schema details click here.
Supported log formats
Hunters expects PAN log files to be csv-formatted.
The following is an example of a typical traffic log:
1,2020/01/25 15:28:37,1234C543298CA52,TRAFFIC,start,2305,2020/01/25 15:28:37, 10.120.94.200,18.104.22.168,10.104.12.123,22.214.171.124,in-to-out_internet, xxx\yyy,,quic,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,org-syslog-log-fw, 2020/01/25 15:28:37,2061061,1,54388,443,19179,443,0x400000,udp,allow,1392,1392, 0,1,2020/01/25 15:28:40,0,any,0,8652125730,0x0,10.0.0.0-10.255.255.255,United States, 0,1,0,n/a,0,0,0,0,,aws-pa300-fw2,from-policy,,,0,,0,,N/A,0,0,0,0,2ecd13fd-4b56 -40af-93e1-2658e29ac007,0,0,,,,,,,
To achieve this result, be sure to set the PAN log format non-customized (as explained below) and configure the syslog forwarder so that it saves the logs exactly as received.
If Fluentd is used as your syslog server, set support_colonless_ident to false.
Set up a syslog server that will capture logs coming from PAN devices.
Set a unique TCP port for each data type you're interested in. For example if traffic, threat and system logs are about to be shipped, verify your syslog server expects to receive them from ports: 5140, 5141, 5142 and transmit them to different folders on S3.
Exporting logs from appliances to S3
Step 1 - Forward logs to the syslog server
Follow Palo Alto's instructions to start forwarding syslogs from appliances to your syslog server. Be sure to adhere to the following rules:
- Keep the default syslog format - BSD.
- Set TCP as the transport layer.
- For each log type (e.g., traffic, threat, system) enter the corresponding port defined in the prerequisites step.
- Keep the default log formats without customizing it.
Don't forget to commit your changes when you're finished.
Step 2 - Verify files written to S3
- Browse to the S3 bucket to which the syslog forwarder is set to send data.
- Download the latest file and open it.
- Make sure it is csv-formatted as generated.
Step 3 - Grant Hunters access to the S3 bucket
Create a IAM role attached to a policy that lets Hunters get objects from the S3 bucket, as described in the Access to Cloud Storage chapter.
Step 4 - Contact Hunters' representative
Contact your account manager to start ingesting this data into the platform.
PAN Timezone known issue
Firewall/Panorama and Traps always output logs without a timezone, so the timezone setting is honored, but not included with the log. For example, if your Firewall is set to 8:00:00 EST, then the time in the syslog will be 8:00:00 (without the EST timezone). By default, Hunters treats timezone-free timestamps as they were in UTC.
In order to overcome this issue and let Hunters infer the correct timestamp, you'll have to change the time settings of the device. As answered in PAN LiveCommunity this change will not affect active sessions. The time zone is used in display of information and in log events generated.