🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Palo Alto Firewall Integration Guide

integrations network palo alto firewall


The following is a guide for configuring the Palo Alto Firewall or Panorama to send system, configuration (audit), traffic, and security events to Secureworks® Taegis™ XDR.

Implementation Requirements

Source Destination Port/Protocol
Palo Alto Firewall or Panorama Taegis™ XDR Collector IP UDP/514

Note

Naming conventions in this doc are suggestions for reference and not required. Names included in screenshots may differ from the suggested naming conventions.

Note

Saving some steps may require using the Commit button in the Palo Alto configuration interface. For more information on using Palo Alto see Palo Alto Documentation.

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
PaloAlto Firewall   D           D   D V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Palo Alto Firewall v8.0 - v9.x - v10.0 Configuration

Important

If security rules are configured with the default profiles you will need to clone the existing profiles and then modify each rule to use the new, cloned profile.

 

Sending Logs from the Palo Alto Firewall to XDR Only

Syslog Server Profile

The Syslog Server Profile is used within different configuration sections of the PAN device to forward logs to a specific syslog server or servers.

  1. From the Device tab, select Server Profiles → Syslog from the left-hand tree menu. The Syslog Server Profile Dialog displays.

  2. Name the profile TDR-COLLECTOR.

  3. Add a server entry named TDR-SYSLOG with the XDR Collector IP address.
  4. Select the option LOG_LOCAL1 under Facility.

Syslog Server

Syslog Server Dialog

Log Settings

The Log Settings section is used to handle logs not handled by the Log Forwarding Profile. The Log Settings section handles System, Configuration, User-ID, HIP Match, IP-Tag (9.0+), GlobalProtect (9.1+), and Correlation (9.1+) logs. The Log Forwarding Profile handles Auth, Data, Threat, Traffic, Tunnel, URL, and Wildfire logs.

On the Firewall, scroll down to be able to see all types.

Firewall Log Settings

Firewall Log Settings

Note

There may be additional log types with newer versions, so ensure that you configure all of them.

Sending System (Diagnostics) Logs from the Palo Alto Firewall to XDR
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under System, select Add. The Log Settings - System dialog displays.
  3. Enter the name as TDR-SYS.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending System Logs

Sending System Logs

Sending Config (Audit) Logs from the Palo Alto Firewall to XDR
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under Configuration, select Add. The Log Settings - Configuration dialog displays.
  3. Enter the name as TDR-CONF.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending Config Logs

Sending Config Logs

Sending User-ID Logs from the Palo Alto Firewall to XDR
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under User-ID, select Add. The Log Settings - User-ID dialog displays.
  3. Enter the name as TDR-ID.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending User-ID Logs

Sending User-ID Logs

Sending HIP-Match Logs from the Palo Alto Firewall to XDR
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under HIP-Match, select Add. The Log Settings - HIP-Match dialog displays.
  3. Enter the name as TDR-HIP.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending HIP-Match Logs

Sending HIP-Match Logs

Sending IP-Tag Logs from the Palo Alto Firewall to XDR (9.0+)
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under IP-Tag, select Add. The Log Settings - IP-Tag dialog displays.
  3. Enter the name as TDR-IPTAG.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending IP-Tag Logs

Sending IP-Tag Logs

Sending GlobalProtect Logs from the Palo Alto Firewall to XDR (9.1+)
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under GlobalProtect, select Add. The Log Settings - GlobalProtect dialog displays.
  3. Enter the name as TDR-GP.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending GlobalProtect Logs

Sending GlobalProtect Logs

Sending Correlation Logs from the Palo Alto Firewall to XDR (9.1+)
  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Under Correlation, select Add. The Log Settings - Correlation dialog displays.
  3. Enter the name as TDR-CORR.
  4. From the Syslog section, select TDR-COLLECTOR for the Syslog Profile.

Sending Correlation Logs

Sending Correlation Logs

Log Forwarding Profile

The Log Forwarding Profile section is used to handle session logs not handled by the Log Settings section. The Log Forwarding Profile handles Auth, Data, Threat, Traffic, Tunnel, URL, and Wildfire logs. The Log Settings section handles System, Configuration, User-ID, HIP Match, IP-Tag (9.0+), GlobalProtect (9.1+), and Correlation (9.1+) logs.

Create A Log Forwarding Profile on the Palo Alto Firewall for XDR
  1. From the Objects tab, select Log Forwarding from the left-hand tree menu.
  2. From the main panel, select Add.
  3. The Log Forwarding Profile dialog displays.
  4. Enter TDR-FORWARDING for the name.

  5. Add and name the following:

    • TDR-LOGFW-THREAT for threat Log Type and TDR-COLLECTOR as Syslog
    • TDR-LOGFW-WF for wildfire Log Type and TDR-COLLECTOR as Syslog
    • TDR-LOGFW-DATA for data Log Type and TDR-COLLECTOR as Syslog
    • TDR-LOGFW-AUTH for auth Log Type and TDR-COLLECTOR as Syslog
    • TDR-LOGFW-URL for url Log Type and TDR-COLLECTOR as Syslog
    • TDR-LOGFW-TRAF for traffic Log Type and TDR-COLLECTOR as Syslog

Log Forwarding

Log Forwarding

Assign the Log Forwarding Profile to Policy Rules and Network Zones on the Palo Alto Firewall for XDR
  1. Select Policies > Security and edit the rule.
  2. Select Actions and select the Log Forwarding profile you created.
  3. Set the Profile Type to Profiles or Group, then select the security profiles or Group Profile required to trigger log generation and forwarding for:
    • Threat logs — Traffic much match any security profile assigned to the rule.
    • Wildfire Submission logs — Traffic must match a WildFire Analysis profile assigned to the rule.
  4. For Traffic logs, select Log At Session Start and/or Log At Session End.
  5. Click OK to save the rule.

Panorama v8.0 - v9.0 - v9.1 Configuration

Panorama can forward logs directly to a 3rd-party syslog server. Note that Panorama can run in different modes:

Deployment mode can be found on the Dashboard tab in the General Information widget.

Panorama Deployment Mode

Panorama Deployment Mode

XDR Syslog Server Profile

  1. From the Panorama tab, select Server Profiles > Syslog from the left-hand tree menu.
  2. From the main panel, select Add.
  3. The Syslog Server Profile dialog displays.
  4. Name the new profile TDR-COLLECTOR-PNR.
  5. Select Add to add a server profile. Name it TDR-SYSLOG, and assign it the XDR Collector IP address.
  6. Under Facility, add the option LOG_LOCAL1.

Panorama VM Syslog Server Profile

Panorama VM Syslog Server Profile

Sending Logs from Legacy Mode (VM) Panorama (w/o Log Collectors) to XDR

Important

This section is not for M-100 or higher hardware models which require more complex configurations. This particular mode is not common practice.

 

Note

Do not configure both Panorama and firewalls to send logs to XDR. Choose one or the other.

 

Configure Log Settings

  1. From the Panorama tab, select Log Settings from the left-hand tree menu.

  2. In the main panel, Add an entry for each of the following log types and configure syslog for each using the TDR-COLLECTOR-PNR value you created in the preceding section:

    • TDR-SYS for System Logs
    • TDR-CONF for Config Logs
    • TDR-ID for UserID Logs
    • TDR-THREAT for Threat Logs (spyware/vulnerability)
    • TDR-URL for URL Logs (web filtering)
    • TDR-DATA for DATA Logs (DLP)
    • TDR-TRAFFIC for Traffic Logs (session traffic logs)
    • TDR-WF for Wildfire Logs
    • TDR-TUN for Tunnel Logs (VPN)
    • TDR-AUTH for Authentication Logs
    • TDR-CORR for Correlation Logs

Panorama VM Log Settings

Panorama VM Log Settings

Note

There may be additional log types with newer versions, so ensure that you configure all of them.

Sending Logs from Panorama (VM Or M) To XDR with Managed Collectors

Panorama M Hardware Models and VM with Managed Collectors (Mgmt Only/Panorama Modes)

Important

For distributed log collection, the device log forwarding configuration in Panorama is no longer done under Log Settings but instead under Collector Groups → Collector Log Forwarding.

 

Note

Do not configure both Panorama and firewalls to send logs to XDR. Choose one or the other.

 

The following is a simplified diagram of a distributed log collecting architecture.

Panorama Managed Collectors

Panorama Managed Collectors

Configure Log Settings - Log Collector Group

  1. From the Panorama tab, select Collector Groups from the left-hand tree menu.
  2. Edit the customer existing collector group(s) in-scope to be monitored. There might only be one Collector Group called default, which means the M hardware is running in Panorama mode.
  3. Select the desired Collector Group, then select the Collector Log Forwarding tab.

  4. Create an entry under each log type for each of the following to send syslog to the TDR-COLLECTOR-PNR you created earlier. Configure it as follows:

    • TDR-SYS for System Logs
    • TDR-CONF for Config Logs
    • TDR-ID for UserID Logs
    • TDR-THREAT for Threat Logs (spyware/vulnerability)
    • TDR-URL for URL Logs (web filtering)
    • TDR-DATA for DATA Logs (DLP)
    • TDR-TRAFFIC for Traffic Logs (session traffic logs)
    • TDR-WF for Wildfire Logs
    • TDR-TUN for Tunnel Logs (VPN)
    • TDR-CORR for Correlation Logs
    • TDR-AUTH for Authentication Logs

Collector Log Forwarding

Collector Log Forwarding

Note

There may be additional log types with newer versions, so ensure that you configure all of them.

Update Existing Security Rules (Firewall Rules) All Versions

Apply Security Profiles—UTM/NGFW Features—And Enable Log Forwarding

Security Profiles are useless unless they are applied to security rules. Furthermore, security rules do not forward logs unless there is a Log Forwarding Profile associated with it. Define a security policy rule:

  1. From the Policies tab, select Security from the left-hand tree menu.
  2. Select each security rule to open the Security Policy dialog for that rule.
  3. Go to the Actions tab.
  4. For Profile Type, select Profiles.
  5. Select the corresponding Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, File Blocking, Data Filtering and Wildfire Analysis (PANOS 7.1 and above) security profiles you use in your environment.
  6. Make sure the Log Forwarding has TDR-FORWARDING selected.

Note

In the Log Setting section of the Action tab, it is a PAN best practice to only enable Log at Session End. If you need to enable Log at Session Start for troubleshooting purposes, it is recommended to disable it after you’re done troubleshooting

Security Policy Rule

Security Policy Rule

Palo Alto Firewall v6.1 - 7.0 - 7.1 Configuration (End of Life)

The following covers multiple configuration scenarios for Palo Alto Firewall to XDR. Select the one appropriate to your version of Palo Alto.

Sending Logs from Palo Alto Firewall to XDR Only

Note

Do not configure both Panorama and Palo Alto Firewall to send logs to XDR. Choose one or the other.

 

Create a XDR Syslog Server Profile

This creates a named syslog object that is used in later steps for forwarding syslog events to XDR.

  1. Navigate to the Device tab, then on the left pane under Server Profiles select Syslog.
  2. Name it TDR-COLLECTOR and add an entry named TDR-SYSLOG with the XDR Collector IP address.
  3. Under Facility, select the option LOG_LOCAL1.

XDR Syslog Server Profile

XDR Syslog Server Profile

Sending System (Diagnostic) Logs from Palo Alto Firewall to XDR

System logs provide a wide array of useful information for auditing and troubleshooting (user login information, NTP issues, hardware events, user-id events, etc.).

PANOS 6.1 and Below
  1. Under the Device tab, select Log Settings > System from the left-hand tree menu.
  2. In the main panel, select each severity level and select TDR-COLLECTOR for the Syslog Profile.

Device Tab, System Log Settings

Device Tab, System Log Settings

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Config, System, and Correlation events are all on one screen.

  1. Under the Device tab, select Log Settings from the left-hand tree menu.
  2. In the main panel, select TDR-COLLECTOR for the System widget.

Device Tab, System Log Settings

Device Tab, System Log Settings

Sending Config (audit) Logs from Palo Alto Firewall to XDR

Configuration logs provide information on who and what changes have been made on a PAN FW. These are useful for backtracking configuration mistakes and/or possible unauthorized changes compromising the security of the device/network.

PANOS 6.1 and below
  1. Under the Device tab, select Log Settings --> Config from the left-hand menu.
  2. In the main panel, select TDR-COLLECTOR for the Syslog Profile.

Panos 6.1 and below

Panos 6.1 and Below Config

PANOS 7.0 and 7.1

On PANOS versions above 7.0, the Config, System, and Correlation events are all on one screen.

  1. From the Device tab, select Log Settings from the left-hand menu.
  2. In the main panel, select TDR-COLLECTOR for the Config widget.

Panos 7 Config

Panos 7 Config

Sending Correlation (Security) Logs From the Palo Alto Firewall to XDR (PANOS 7.0+)

PANOS 7.0 and above now contains a new type of security event called Correlation events, which are vendor proprietary meta-events made up of the correlation of multiple threat events. These new security events are valuable in detecting infected hosts. On PANOS versions above 7.0 Config, System, and Correlation events are all on one screen.

  1. Under the Device tab, select Log Settings.
  2. From the main panel, select TDR-COLLECTOR for the Correlation widget.

Correlation Logs

Correlation Logs

Create a Log Forwarding Profile on the Palo Alto Firewall for Logging to XDR Only

This creates a named profile that specifies the only events (traffic, security/vulnerability, wildfire) and criticality levels that are be forwarded to XDR by referencing the syslog server profile.

  1. Under the Objects tab, select Log Forwarding.
  2. In the main panel, select Add. The Log Forwarding Profile dialog displays.
  3. Enter TDR-FORWARDING for the name.
  4. Select TDR-COLLECTOR for every item under Syslog column.

Log Forwarding Profile

Log Forwarding Profile

Panorama v6.1 - 7.1 Configuration (End of Life)

The following covers multiple configuration scenarios for Panorama to XDR. Select the one appropriate to your version of Panorama.

Sending Logs from Customer Panorama to XDR

Note

Do not configure both Panorama and Palo Alto Firewall to send logs to XDR. Choose one or the other.

 

XDR Syslog Server Profile

In Panorama, create a Server Syslog Profile called TDR-COLLECTOR with XDR Collector’s corresponding IP address.

Panorama Syslog Server Profile

Panorama Syslog Server Profile

Sending System (Diagnostics) Logs From Panorama To XDR

System logs provide a wide array of useful information for auditing and troubleshooting (user login information, NTP issues, hardware events, user-id events, etc.).

PANOS 6.1 and Below

Configure the System Log Settings to point to the TDR-COLLECTOR syslog server profile.

  1. From the Panorama tab, select Log Settings → System from the left-hand tree menu.
  2. Select TDR-COLLECTOR for every item under the Syslog Profile column.

Panorama System Logs

Panorama System Logs

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama, Config, System, Threat, Wildfire, Traffic, and Correlation events are all on one screen.

  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Select TDR-COLLECTOR for the System widget in the main panel.

Panorama System Logs

Panorama System Logs

Sending Config (Audit) Logs From Panorama To XDR

Config logs provide information on who and what changes were made on a Panorama Firewall. These are useful for backtracking configuration mistakes and/or possible unauthorized changes compromising the security of the device/network.

PANOS 6.1 and Below
  1. From the Panorama tab, select Log Settings → Config from the left-hand tree menu.
  2. In the main panel, make sure the Log Settings - Config is pointing to TDR-COLLECTOR for syslog.

Panorama Config Logs

Panorama Config Logs

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama, Config, System, Threat, Wildfire, Traffic, and Correlation events are all on one screen.

  1. From the Device tab, select Log Settings from the left-hand tree menu.
  2. Select TDR-COLLECTOR for the Config widget in the main panel.

Panorama Config Logs

Panorama Config Logs

Sending Traffic Logs from Panorama to XDR

Traffic logs provide additional information used for event correlation and/or network forensics. For example, suspicious outbound traffic to watchlisted IP networks/hosts.

PANOS 6.1 and Below
  1. From the Panorama tab, select Log Settings → Traffic.
  2. In the main panel, configure the Traffic Settings to point to the TDR-COLLECTOR syslog server profile.

Panorama Traffic

Panorama Traffic

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama Config, System, Threat, Wildfire, Traffic, and Correlation events are all on one screen.

  1. From the Panorama tab, select Log Settings from the left-hand tree menu.
  2. From the main panel select TDR-COLLECTOR for the Traffic widget.

Panorama Traffic Logs

Panorama Traffic Logs

Sending Threat (Security) Logs from Panorama to XDR

Threat logs provide security events on malicious activity detected by the PAN device. Examples of this are remote exploits, intrusion attempts, and denial of service attacks.

PANOS 6.1 and Below

  1. From the Panorama tab, select Log Settings → Threat from the left-hand tree menu.

  2. In the main panel, configure the Threat settings to point to the TDR-COLLECTOR syslog server profile.

Panorama Threat Logs

Panorama Threat Logs

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama Config, System, Threat, Wildfire, Traffic, and Correlation events are all on one screen.

  1. From the Panorama tab, select Log Settings from the left-hand tree menu.

  2. In the main panel, select TDR-COLLECTOR for the Threat widget.

Panorama Threat Logs

Panorama Threat Logs

Sending Correlation (Security) Logs From Panorama To XDR - PANOS 7

PANOS 7.0 and above now contains a new type of security event called Correlation events, which are vendor proprietary meta-events made up of the correlation of multiple threat events. These new security events are valuable in detecting infected hosts.

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama Config, System, Threat, Wildfire, Traffic, and Correlation event log configurations are all on one screen.

  1. From the Panorama tab, select Log Settings from the left-hand tree menu.

  2. From the main panel, select TDR-COLLECTOR for items in the Syslog Profile column of the Correlation widget.

Panorama Correlation Logs

Panorama Correlation Logs

Sending Wildfire (Security) Logs from Panorama to XDR

Wildfire security events are for the most part either sandboxing analysis results of suspicious files or wildfire virus (wildfire signatures) alerts. These are useful to detect relatively new malware via instantaneous sandboxing or via the wildfire signatures created from the malware samples sent from the wildfire community.

PANOS 7.0 and 7.1

On PANOS versions above 7.0 Panorama you can now send Wildfire events from Panorama. Additionally, all Config, System, Threat, Wildfire, Traffic, and Correlation event log configuration are all on one screen.

  1. From the Panorama tab, select Log Settings from the left-hand tree menu.

  2. From the main panel, select TDR-COLLECTOR for items in the Syslog Profile column of the Wildfire widget.

Panorama Wildfire Logs

Panorama Wildfire Logs

 

On this page: