Skip to content

Palo Alto Networks

This article explains how to connect your Palo Alto Networks appliance to Hunters.

Supported data types

Supported log formats

Hunters expects PAN log files to be csv-formatted. The following is an example of a typical traffic log:

1,2020/01/25 15:28:37,1234C543298CA52,TRAFFIC,start,2305,2020/01/25 15:28:37,
10.120.94.200,172.217.3.121,10.104.12.123,172.217.3.121,in-to-out_internet,
xxx\yyy,,quic,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,org-syslog-log-fw,
2020/01/25 15:28:37,2061061,1,54388,443,19179,443,0x400000,udp,allow,1392,1392,
0,1,2020/01/25 15:28:40,0,any,0,8652125730,0x0,10.0.0.0-10.255.255.255,United States,
0,1,0,n/a,0,0,0,0,,aws-pa300-fw2,from-policy,,,0,,0,,N/A,0,0,0,0,2ecd13fd-4b56
-40af-93e1-2658e29ac007,0,0,,,,,,,

To achieve this result, be sure to set the PAN log format non-customized (as explained below) and configure the syslog forwarder so that it saves the logs exactly as received.

If Fluentd is used as your syslog server, set support_colonless_ident to false.

Prerequisites

Set up a syslog server that will capture logs coming from PAN devices.

Set a unique TCP port for each data type you're interested in. For example if traffic, threat and system logs are about to be shipped, verify your syslog server expects to receive them from ports: 5140, 5141, 5142 and transmit them to different folders on S3.

Exporting logs from appliances to S3

Step 1 - Forward logs to the syslog server

Follow Palo Alto's instructions to start forwarding syslogs from appliances to your syslog server. Be sure to adhere to the following rules:

  • Keep the default syslog format - BSD.
  • Set TCP as the transport layer.
  • For each log type (e.g., traffic, threat, system) enter the corresponding port defined in the prerequisites step.
  • Keep the default log formats without customizing it.

Don't forget to commit your changes when you're finished.

Step 2 - Verify files written to S3

  1. Browse to the S3 bucket to which the syslog forwarder is set to send data.
  2. Download the latest file and open it.
  3. Make sure it is csv-formatted as generated.

Step 3 - Grant Hunters access to the S3 bucket

Create a IAM role attached to a policy that lets Hunters get objects from the S3 bucket, as described in the Access to Cloud Storage chapter.

Step 4 - Contact Hunters' representative

Contact your account manager to start ingesting this data into the platform.

Troubleshooting

PAN Timezone known issue

Firewall/Panorama and Traps always output logs without a timezone, so the timezone setting is honored, but not included with the log. For example, if your Firewall is set to 8:00:00 EST, then the time in the syslog will be 8:00:00 (without the EST timezone). By default, Hunters treats timezone-free timestamps as they were in UTC.

In order to overcome this issue and let Hunters infer the correct timestamp, you'll have to change the time settings of the device. As answered in PAN LiveCommunity this change will not affect active sessions. The time zone is used in display of information and in log events generated.