Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.6.1 External Systems Configuration Guide
    6.6.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Palo Alto Firewall

    Palo Alto Firewall

    What is Discovered and Monitored

    Protocol

    Information Discovered

    Metrics collected

    Used for

    SNMP

    Host name, Hardware model, Network interfaces, Operating system version

    Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

    Availability and Performance Monitoring

    Telnet/SSH

    Running configuration

    Configuration Change

    Performance Monitoring, Security and Compliance

    Syslog

    Device type

    Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs

    Availability, Security and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "palo alto" to see the event types associated with this device. In 6.3.0, the Palo Alto parser has been enhanced to handle some firewall generated Palo Alto Wildfire log events.

    Rules

    There are no predefined rules for this device.

    Reports

    In RESOURCES > Reports, search for "palo alto" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    SNMP, SSH, and Ping
    1. Log in to the management console for your firewall with administrator privileges.
    2. In the Device tab, click Setup.
    3. Click Edit.
    4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
    5. For SNMP Community String, enter public.
    6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance.
    7. Click OK.
    8. Go to Setup > Management and check that SNMP is enabled on the management interface.
    Syslog
    Set FortiSIEM as a Syslog Destination
    1. Log in to the management console for your firewall with administrator privileges.
    2. In the Device tab, go to Log Destinations > Syslog.
    3. Click New.
    4. Enter a Name for your FortiSIEM virtual appliance.
    5. For Server, enter the IP address of your virtual appliance.
    6. For Port, enter 514.
    7. For Facility, select LOG_USER.
    8. Click OK.
    Set the Severity of Logs to Send to FortiSIEM
    1. In the Device tab, go to Log Settings > System.
    2. Click Edit....
    3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu.
    4. Click OK.
    Create a Log Forwarding Profile
    1. In the Objects tab, go to Log Forwarding > System.
    2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM.
    3. Click OK.
    Use the Log Forwarding Profile in Firewall Policies
    1. In the Policies tab, go to Security > System.
    2. For each security rule that you want to send logs to FortiSIEM, click Options.
    3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
    4. Click OK.
    5. Commit changes.
    Logging Permitted Web Traffic

    By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps.

    1. In the Objects tab, go to Security Profiles > URL Filtering.
    2. Edit an existing profile by clicking on its name, or click Add to create a new one.
    3. For website categories that you want to log, select Alert.
      Traffic matching these website category definitions will be logged.
    4. Click OK.
    5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.

    Sample Parsed Palo Alto Syslog Message

    <14>May  6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

<14>May  6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21

<14>May  9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>
    Telnet Access Credentials for All Devices

    These are the generic settings for providing Telnet access to your device from FortiSIEM.

    Setting Value
    Name Telnet-generic
    Device Type generic
    Access Protocol Telnet
    Port 23
    User Name A user who has permission to access the device over Telnet
    Password The password associated with the user
    SSH Access Credentials for All Devices

    These are the generic settings for providing SSH access to your device from FortiSIEM.

    Setting Value
    Name ssh-generic
    Device Type Generic
    Access Protocol SSH
    Port 22
    User Name A user who has access credentials for your device over SSH
    Password The password for the user
    Previous
    Next

    Palo Alto Firewall

    Palo Alto Firewall

    What is Discovered and Monitored

    Protocol

    Information Discovered

    Metrics collected

    Used for

    SNMP

    Host name, Hardware model, Network interfaces, Operating system version

    Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

    Availability and Performance Monitoring

    Telnet/SSH

    Running configuration

    Configuration Change

    Performance Monitoring, Security and Compliance

    Syslog

    Device type

    Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs

    Availability, Security and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "palo alto" to see the event types associated with this device. In 6.3.0, the Palo Alto parser has been enhanced to handle some firewall generated Palo Alto Wildfire log events.

    Rules

    There are no predefined rules for this device.

    Reports

    In RESOURCES > Reports, search for "palo alto" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    SNMP, SSH, and Ping
    1. Log in to the management console for your firewall with administrator privileges.
    2. In the Device tab, click Setup.
    3. Click Edit.
    4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
    5. For SNMP Community String, enter public.
    6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance.
    7. Click OK.
    8. Go to Setup > Management and check that SNMP is enabled on the management interface.
    Syslog
    Set FortiSIEM as a Syslog Destination
    1. Log in to the management console for your firewall with administrator privileges.
    2. In the Device tab, go to Log Destinations > Syslog.
    3. Click New.
    4. Enter a Name for your FortiSIEM virtual appliance.
    5. For Server, enter the IP address of your virtual appliance.
    6. For Port, enter 514.
    7. For Facility, select LOG_USER.
    8. Click OK.
    Set the Severity of Logs to Send to FortiSIEM
    1. In the Device tab, go to Log Settings > System.
    2. Click Edit....
    3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu.
    4. Click OK.
    Create a Log Forwarding Profile
    1. In the Objects tab, go to Log Forwarding > System.
    2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM.
    3. Click OK.
    Use the Log Forwarding Profile in Firewall Policies
    1. In the Policies tab, go to Security > System.
    2. For each security rule that you want to send logs to FortiSIEM, click Options.
    3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
    4. Click OK.
    5. Commit changes.
    Logging Permitted Web Traffic

    By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps.

    1. In the Objects tab, go to Security Profiles > URL Filtering.
    2. Edit an existing profile by clicking on its name, or click Add to create a new one.
    3. For website categories that you want to log, select Alert.
      Traffic matching these website category definitions will be logged.
    4. Click OK.
    5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.

    Sample Parsed Palo Alto Syslog Message

    <14>May  6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

<14>May  6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21

<14>May  9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>
    Telnet Access Credentials for All Devices

    These are the generic settings for providing Telnet access to your device from FortiSIEM.

    Setting Value
    Name Telnet-generic
    Device Type generic
    Access Protocol Telnet
    Port 23
    User Name A user who has permission to access the device over Telnet
    Password The password associated with the user
    SSH Access Credentials for All Devices

    These are the generic settings for providing SSH access to your device from FortiSIEM.

    Setting Value
    Name ssh-generic
    Device Type Generic
    Access Protocol SSH
    Port 22
    User Name A user who has access credentials for your device over SSH
    Password The password for the user
    Previous
    Next