Palo Alto Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP

Host name, Hardware model, Network interfaces,  Operating system version

Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count

Availability and Performance Monitoring

Telnet/SSH

Running configuration

Configuration Change

Performance Monitoring, Security and Compliance

Syslog

Device type

Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs

Availability, Security and Compliance

Event Types

In ADMIN > Device Support > Event, search for "palo alto" in the Description column to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

In RESOURCE > Reports , search for "palo alto" in the Description  column to see the reports associated with this device. 

Configuration

SNMP, SSH, and Ping

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, click Setup.
  3. Click Edit.
  4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
  5. For SNMP Community String, enter public
  6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance. 
  7. Click OK.
  8. Go to Setup > Management and check that SNMP is enabled on the management interface.

Syslog

Set FortiSIEM as a Syslog Destination

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, go to Log Destinations > Syslog.
  3. Click New.
  4. Enter a Name for your FortiSIEM virtual appliance.
  5. For Server, enter the IP address of your virtual appliance. 
  6. For Port, enter 514.
  7. For Facility, select LOG_USER.
  8. Click OK.

Set the Severity of Logs to Send to FortiSIEM

  1. In the Device tab, go to Log Settings > System.
  2. Click Edit... .
  3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu. 
  4. Click OK

Create a Log Forwarding Profile

  1. In the Objects tab, go to Log Forwarding > System.
  2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM. 
  3. Click OK

Use the Log Forwarding Profile in Firewall Policie

  1. In the Policies tab, go to Security > System.
  2. For each security rule that you want to send logs to FortiSIEM, click Options.
  3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
  4. Click OK.
  5. Commit changes.

 

Logging Permitted Web Traffic

By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps. 

  1. In the Objects tab, go to Security Profiles > URL Filtering.
  2. Edit an existing profile by clicking on its name, or click Add to create a new one.
  3. For website categories that you want to log, select Alert.
    Traffic matching these website category definitions will be logged.
  4. Click OK.  
  5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.

Sample Parsed Palo Alto Syslog Mesage

<14>May  6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

<14>May  6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21

<14>May  9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-and-pornography,informational,0

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

SettingValue
Name<set name>
Device TypeGeneric
Access ProtocolSNMP
Community String<your own>

 

Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM

SettingValue
NameTelnet-generic
Device Typegeneric
Access ProtocolTelnet
Port23
User NameA user who has permission to access the device over Telnet
PasswordThe password associated with the user

 

SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

SettingValue
Namessh-generic
Device TypeGeneric
Access ProtocolSSH
Port22
User NameA user who has access credentials for your device over SSH
PasswordThe password for the user