firewall.paloalto

The logs from Palo Alto firewall are marked with the firewall.paloalto.type.subtype tag.

Tag structure

The element type specifies the different kinds of events that are being sent. Tags can have one of the following values (corresponding to the different log types):

  • firewall.paloalto.traffic
  • firewall.paloalto.threat
  • firewall.paloalto.hipmatch
  • firewall.paloalto.config
  • firewall.paloalto.system

For more information on how tags work, please check Introduction to tags article.

In-house Relay configuration

You can configure a Palo Alto firewall to report the logs to Devo specifying an endpoint, destination port and syslog facility. Please note that it is not possible to send via TCP or tag the events prior to sending them. Hence it is necessary to report the logs to an In-house Relay that will tag them as firewall.paloalto.type.subtype and forward them to Devo.

To create the rule use the following fields: 

  • Source Port → 13004
  • Source Data → ^[^,]+,[^,]+,[^,]+,([^,]+).*$
  • Target Tag → firewall.paloalto.\\D1
  • Target Message → \\D0
  • Check the following box:
    • Send without tag

The new rule looks as follows:

Palo Alto configuration

These are the steps to follow in order to forward traffic logs to the In-house Relay:

1. Create a syslog server profile

  • You can perform this task from the Device → Server Profiles → Syslog area.
    • Name → name of the syslog server
    • Server → In-house Relay Server IP address where the logs are forwarded to
    • Port → default port 13004
    • Facility → selected from the dropdown list according to the requirements

  • For newer versions of Palo Alto, include the BSD format.

2. Traffic Logs

  • Configure the log-forwarding profile to select the traffic logs to be forwarded to the syslog server:
    • Go to the Objects → Log forwarding area.
    • Select the syslog server profile for forwarding traffic logs to the configured server.

3. Threat Logs

  • Select the syslog server profile for forwarding threat logs to the configured server.

4. Use the log forwarding profile in the security rules

  • Go to the Policies → Security Rule area.
  • Select the rule where the log forwarding needs to be applied.
  • Apply the traffic and security profiles to the rule.
  • Go to Actions → Log forwarding and select the log forwarding profile from the dropdown list.

5. HIP-Match log settings

  • Go to the Device → Log settings → Hipmatch area.
  • Select the syslog server profile that was created in the step above for the desired log-severity.

  • Once the server profile is selected, the system log settings for syslog server appear as follows:

6. System log settings

  • Go to the Device → Log settings → System area.
  • Select the syslog server profile that was created in the step above for the desired log-severity.

  • Once the server profile is selected, the system log settings for syslog server appear as it follows:

7. Configure the log settings

  • Go to the Device → Log settings → Config area.
  • Select the syslog server profile that was created in the step above for the desired log-severity.

  • Once the syslog profile is selected, the config log settings appear as it follows:



    Finally, apply the changes.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US