Make the Most of Your Palo Alto Firewall Data

This post walks through the steps to integrate Palo Alto firewall data into Honeycomb Lexicon. Palo Alto next-generation firewalls provide a vast wealth of protection and visibility right through the network stack. Integrating Palo Alto firewall data into Honeycomb Lexicon leverages this data, and allows you to easily visualize data patterns, as well as correlate its data with the rest of your network.

 

Setup

Note: These instruction pertain to PAN-OS 4.x. If you are running PAN-OS 3.x, these instructions still apply, just some of the names/placements are a slightly different.

Configuring Palo Alto firewalls to forward data feeds into Lexicon is quite straightforward. Here are the steps:

1   Login to your Palo Alto firewall console using an administrative user account

2   Now we create a syslog object that will tell the system where to send data:

Click the Device tab

In the left-side tree, navigate to ‘Server Profiles -> Syslog’

At the bottom of the screen, click ‘Add’

In the ‘Syslog Server Profile’ screen:

Give the Profile object a name

Click ‘Add’

Enter a name for the syslog server (this can be any name, it doesn’t have to be a DNS or related name)

Enter a server name – this does need to be an IP address or DNS name. As this is a firewall that typically resides on the perimeter, it is prudent to use an IP address here

You can keep the default port of 514, or change it to another value. By default, Lexicon listens for incoming syslog traffic on UDP port 514, so if you change it, you will need to ensure a corresponding value is entered into the Lexicon server’s cfg/inputs.conf file

Leave the Facility default value of LOG_USER unchanged

Press OK

You should now see your new Syslog Server Profile entry in the list

3   Now that we have a Syslog Server Profile object, we need to assign it:

In the left-side tree, navigate to ‘Log Settings -> System’

You will see 5 entries in this view, one for each severity level of system messages

For each severity level:

Click on the ‘Severity’ value (e.g. ‘High’)

In the Syslog drop-down, select the newly-created Syslog Server Profile

Press OK

Now select ‘Log Settings -> Config’

In the ‘Log Settings – Config’ box, click on the right-side button to edit the settings

In the Syslog drop-down, select the newly-created Syslog Server Profile

Now select ‘Log Settings -> HIP Match

In the ‘Log Settings – HIP Match’ box, click on the right-side button to edit the settings

In the Syslog drop-down, select the newly-created Syslog Server Profile

To include Palo Alto’s Traffic and Threat logs, follow these steps:

In the left-side tree, navigate to ‘Objects -> Log Forwarding’

Click ‘Add’ at the bottom of the screen

Give the Log Forwarding Profile a name

For each Traffic and Threat Settings entry you wish to include, click on the relevant ‘Syslog’ column entry, and add the newly-created Syslog Server Profile

Press OK

4   The objects are now created and assigned, so all that’s left to do is to commit the changes:

Press the ‘Commit’ button in the top right

Click OK to continue

After a few moments, the changes will be applied, and you will begin to receive data from your Palo Alto firewall.

Tags: , , , , , ,