Configure a Palo Alto Networks Panorama platform to send logs to Arctic Wolf

You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf® for security monitoring using the Panorama platform.

Note:

Only complete these steps if you are:

Depending on log settings, this configuration can cause limitations for alerting. Contact your Concierge Security® Team to discuss other log forwarding options.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to Palo Alto Networks console with administrator permissions

Create a syslog server profile

  1. Sign in to the Palo Alto Networks Panorama platform with administrator permissions.
  2. Click the PANORAMA tab.
  3. In the navigation menu, in the Server Profiles section, click Syslog.
  4. Click + Add.
  5. In the New Server Profile dialog, in the Name field, enter a unique name for the syslog server. For example, awn-mycompany1.
  6. Click the Servers tab.
  7. Click + Add.

    A new row is added to the table.

  8. In the new table row, configure these settings:
    • Name — Enter a name for your Arctic Wolf Sensor.
    • Syslog Server — Enter your Arctic Wolf Sensor IP address.
    • Transport — Select UDP.
    • Port — Enter 514.
    • Format — Use the default format of BSD.
    • Facility — Use the default format of LOG_USER.
  9. Click OK.

Configure a managed Collector Group to forward firewall logs

  1. Sign in to the Palo Alto Networks Panorama platform with administrator permissions.
  2. Click the PANORAMA tab.
  3. In the navigation menu, click Collector Groups.
  4. Open your existing Collector Group that is receiving firewall logs.
  5. Click the Collector Log Forwarding tab.
  6. Create a log forwarding profile match list for each of these log types: System, Configuration, HIP-Match, Correlation Logs, Traffic, Data, Threat, Auth, URL, and Global Protect
    Note:

    Global Protect log settings are only required if you have GlobalProtect.

    1. Click + Add.
    2. In the Log Settings dialog, for each log type, configure these settings:
      • Name — Enter a descriptive name for your log setting profile.
      • Filter — Select All Logs.
      • Description — Enter a description for your log settings.
      • Forward Method — Select the Syslog method, and then click + Add and select the syslog server profile that you created in Create a syslog server profile.
    3. Click OK.
    4. Verify that you have a log forwarding profile for all necessary log types.
  7. Click OK.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.