Palo Alto Firewall
- What is Discovered and Monitored
- Event Types
- Rules
- Reports
- Configuration
- Sample Parsed Palo Alto Syslog Message
- Settings for Access Credentials
What is Discovered and Monitored
Protocol |
Information Discovered |
Metrics collected |
Used for |
---|---|---|---|
SNMP |
Host name, Hardware model, Network interfaces, Operating system version |
Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count |
Availability and Performance Monitoring |
Telnet/SSH |
Running configuration |
Configuration Change |
Performance Monitoring, Security and Compliance |
Syslog |
Device type |
Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs |
Availability, Security and Compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "palo alto" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCES > Reports, search for "palo alto" in the main content panel Search... field to see the reports associated with this device.
Configuration
- SNMP, SSH, and Ping
- Syslog
- Set the Severity of Logs to Send to FortiSIEM
- Create a Log Forwarding Profile
- Use the Log Forwarding Profile in Firewall Policies
- Logging Permitted Web Traffic
SNMP, SSH, and Ping
- Log in to the management console for your firewall with administrator privileges.
- In the Device tab, click Setup.
- Click Edit.
- Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
- For SNMP Community String, enter
public
. - If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance.
- Click OK.
- Go to Setup > Management and check that SNMP is enabled on the management interface.
Syslog
Set FortiSIEM as a Syslog Destination
- Log in to the management console for your firewall with administrator privileges.
- In the Device tab, go to Log Destinations > Syslog.
- Click New.
- Enter a Name for your FortiSIEM virtual appliance.
- For Server, enter the IP address of your virtual appliance.
- For Port, enter 514.
- For Facility, select LOG_USER.
- Click OK.
Set the Severity of Logs to Send to FortiSIEM
- In the Device tab, go to Log Settings > System.
- Click Edit....
- For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu.
- Click OK.
Create a Log Forwarding Profile
- In the Objects tab, go to Log Forwarding > System.
- Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM.
- Click OK.
Use the Log Forwarding Profile in Firewall Policies
- In the Policies tab, go to Security > System.
- For each security rule that you want to send logs to FortiSIEM, click Options.
- For Log Forwarding Profile, select the profile you created for FortiSIEM.
- Click OK.
- Commit changes.
Logging Permitted Web Traffic
By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps.
- In the Objects tab, go to Security Profiles > URL Filtering.
- Edit an existing profile by clicking on its name, or click Add to create a new one.
- For website categories that you want to log, select Alert.
Traffic matching these website category definitions will be logged. - Click OK.
- For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.
Sample Parsed Palo Alto Syslog Message
<14>May 6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0 <14>May 6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21 <14>May 9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Generic |
Access Protocol | SNMP |
Community String | <your own> |
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
Setting | Value |
---|---|
Name | Telnet-generic |
Device Type | generic |
Access Protocol | Telnet |
Port | 23 |
User Name | A user who has permission to access the device over Telnet |
Password | The password associated with the user |
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting | Value |
---|---|
Name | ssh-generic |
Device Type | Generic |
Access Protocol | SSH |
Port | 22 |
User Name | A user who has access credentials for your device over SSH |
Password | The password for the user |