Vendor

Palo Alto Networks

URL

https://www.paloaltonetworks.com/network-security/next-generation-firewall

Supported Product Versions

10.0 - Latest

Supported Product Logs

Traffic, System, Threat, Hip Match

Required Log Format

RFC5424 (IETF format)

Protocol / Delivery

Syslog

Sample Events

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/monitor/monitor-logs/log-types.html

More Information

https://www.paloaltonetworks.com/company/contact-support

Overview

This article explains how to connect your Palo Alto Networks appliance to Hunters.

Mandatory Prerequisite

PAN Timezone known issue: Palo Alto Networks firewall does not include the timezone as part of the timestamp in the log by design. For example, if your Firewall is set to 8:00:00 EST, then the time in the syslog will be 8:00:00 (without the EST timezone). By default, Hunters treats timezone-free timestamps as they were in UTC.

In order to overcome this issue and let Hunters infer the correct timestamp, you are required to change the time settings of the device itself. As answered in PAN LiveCommunity this change will not affect active sessions. The time zone is used in display of information and in log events generated.

Note: If you are forwarding logs from a few devices, you are required to perform this change on all of them.

Supported data types

Supported log formats

Hunters expects PAN log files to be csv-formatted. The following is an example of a typical traffic log:

1,2020/01/25 15:28:37,1234C543298CA52,TRAFFIC,start,2305,2020/01/25 15:28:37,
10.120.94.200,172.217.3.121,10.104.12.123,172.217.3.121,in-to-out_internet,
xxx\yyy,,quic,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,org-syslog-log-fw,
2020/01/25 15:28:37,2061061,1,54388,443,19179,443,0x400000,udp,allow,1392,1392,
0,1,2020/01/25 15:28:40,0,any,0,8652125730,0x0,10.0.0.0-10.255.255.255,United States,
0,1,0,n/a,0,0,0,0,,aws-pa300-fw2,from-policy,,,0,,0,,N/A,0,0,0,0,2ecd13fd-4b56
-40af-93e1-2658e29ac007,0,0,,,,,,,
CODE

To achieve this result, be sure to set the PAN log format to non-customized (as explained below) and configure the syslog forwarder so that it saves the logs exactly as received.

Additional Prerequisites

Set up a syslog server that will capture logs coming from PAN devices.

Set a unique TCP port for each data type you're interested in. For example if traffic, threat and system logs are about to be shipped, verify your syslog server expects to receive them from ports: 5140, 5141, 5142 and transmit them to different folders on S3.

Exporting logs from appliances to S3

Step 1 - Configure management logging

  1. These instructions assume that your firewall has a basic configuration applied and you can connect to it.

  1. Log on to your firewalls management interface.

  2. At the top click on the Devices Tab then on the left hand side menu click on Server Properties then Syslog

  3. A Syslog Server Profile dialog box will appear. You can either add a new configuration or modify an existing one to add the new syslog destination as below:

    1. Type a configuration name in the name field.

    2. Click the Add button.

    3. Enter the syslog server name in the name field.

    4. Enter the syslog server IP address or FQDN into the Syslog Server field.

    5. Enter the transport type in the transport field (UDP, TCP, TLS).

    6. Enter the proper port for your syslog receiver.

    7. At the format field, enter IETF format if you are using the fluentd configuration snippet below.

    8. Enter the proper facility. The default of LOG_USER is the default.

    9. Click on the OK button to complete the configuration.

4. To utilize the new syslog profile or one that you currently have, click on Log Settings and add the profile that should be used. Click the add button to add the profile.

5. This is an example of how to configure the firewall to send system related events to our new syslog destination. Once the configuration is complete click OK.

6. Create another profile like above for HIP Match.

Step 2 - Fluentd source configuration

<source>
 @type syslog
 port {{Set to a valid port value}}
 bind 0.0.0.0
 @log_level trace
 frame_type octet_count
 <parse>
  @type syslog
   message_format rfc5424
   rfc5424_time_format %FT%T%:z
   with_priority true
 </parse>
 <format>
   @type single_value
 </format>
 <transport tcp>
 </transport>
 tag default_syslog
</source>

CODE

Please make sure to set the port value in the configuration above.

It is required to set the parse section as detailed above. We have configured fluentd to expect RFC 5424 formatted messages with the required time format and the priority set.

Step 3 - Verify files written

  1. Browse to the S3 bucket to which the syslog forwarder is set to send data.

  2. Download the latest file and open it.

  3. Make sure it is csv-formatted as generated.

Step 4 - Grant Hunters access to the S3 bucket

Create a IAM role attached to a policy that lets Hunters get objects from the S3 bucket, as described in the Access to Cloud Storage chapter.

Step 5 - Contact Hunters' representative

Contact your account manager to start ingesting this data into the platform.


References

https://docs.ruby-lang.org/en/2.4.0/Time.html#method-i-strftime

https://docs.fluentd.org/configuration/format-section

https://regexr.com/