Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Palo Alto Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Hardware model, Network interfaces,  Operating system version

Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

Telnet/SSH

Running configuration

Configuration Change

Performance Monitoring, Security and Compliance

Syslog

Device type

Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs

Availability, Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "palo alto" to see the event types associated with this device. In 6.3.0, the Palo Alto parser has been enhanced to handle some firewall generated Palo Alto Wildfire log events.

Rules

There are no predefined rules for this device. 

Reports

In RESOURCES > Reports, search for "palo alto" in the main content panel Search... field to see the reports associated with this device. 

Configuration

SNMP, SSH, and Ping
  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, click Setup.
  3. Click Edit.
  4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
  5. For SNMP Community String, enter public
  6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance. 
  7. Click OK.
  8. Go to Setup > Management and check that SNMP is enabled on the management interface.
Syslog
Set FortiSIEM as a Syslog Destination
  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, go to Log Destinations > Syslog.
  3. Click New.
  4. Enter a Name for your FortiSIEM virtual appliance.
  5. For Server, enter the IP address of your virtual appliance. 
  6. For Port, enter 514.
  7. For Facility, select LOG_USER.
  8. Click OK.
Set the Severity of Logs to Send to FortiSIEM
  1. In the Device tab, go to Log Settings > System.
  2. Click Edit....
  3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu. 
  4. Click OK
Create a Log Forwarding Profile
  1. In the Objects tab, go to Log Forwarding > System.
  2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM. 
  3. Click OK
Use the Log Forwarding Profile in Firewall Policies
  1. In the Policies tab, go to Security > System.
  2. For each security rule that you want to send logs to FortiSIEM, click Options.
  3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
  4. Click OK.
  5. Commit changes.
Logging Permitted Web Traffic

By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps. 

  1. In the Objects tab, go to Security Profiles > URL Filtering.
  2. Edit an existing profile by clicking on its name, or click Add to create a new one.
  3. For website categories that you want to log, select Alert.
    Traffic matching these website category definitions will be logged.
  4. Click OK.  
  5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.

Sample Parsed Palo Alto Syslog Message

<14>May  6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

<14>May  6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21

<14>May  9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user

Palo Alto Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Hardware model, Network interfaces,  Operating system version

Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

Telnet/SSH

Running configuration

Configuration Change

Performance Monitoring, Security and Compliance

Syslog

Device type

Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs

Availability, Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "palo alto" to see the event types associated with this device. In 6.3.0, the Palo Alto parser has been enhanced to handle some firewall generated Palo Alto Wildfire log events.

Rules

There are no predefined rules for this device. 

Reports

In RESOURCES > Reports, search for "palo alto" in the main content panel Search... field to see the reports associated with this device. 

Configuration

SNMP, SSH, and Ping
  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, click Setup.
  3. Click Edit.
  4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
  5. For SNMP Community String, enter public
  6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance. 
  7. Click OK.
  8. Go to Setup > Management and check that SNMP is enabled on the management interface.
Syslog
Set FortiSIEM as a Syslog Destination
  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, go to Log Destinations > Syslog.
  3. Click New.
  4. Enter a Name for your FortiSIEM virtual appliance.
  5. For Server, enter the IP address of your virtual appliance. 
  6. For Port, enter 514.
  7. For Facility, select LOG_USER.
  8. Click OK.
Set the Severity of Logs to Send to FortiSIEM
  1. In the Device tab, go to Log Settings > System.
  2. Click Edit....
  3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu. 
  4. Click OK
Create a Log Forwarding Profile
  1. In the Objects tab, go to Log Forwarding > System.
  2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM. 
  3. Click OK
Use the Log Forwarding Profile in Firewall Policies
  1. In the Policies tab, go to Security > System.
  2. For each security rule that you want to send logs to FortiSIEM, click Options.
  3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
  4. Click OK.
  5. Commit changes.
Logging Permitted Web Traffic

By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps. 

  1. In the Objects tab, go to Security Profiles > URL Filtering.
  2. Edit an existing profile by clicking on its name, or click Add to create a new one.
  3. For website categories that you want to log, select Alert.
    Traffic matching these website category definitions will be logged.
  4. Click OK.  
  5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.

Sample Parsed Palo Alto Syslog Message

<14>May  6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

<14>May  6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21

<14>May  9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user