Palo Alto Networks Logs
Updated Nov 10, 2023- Configure a Palo Alto Networks firewall to send logs to Arctic Wolf
- Requirements
- Steps
- Step 1: Create a syslog server profile
- Step 2: Configure syslog forwarding for System, Config, HIP Match, and Global Protect
- Step 3: Create a log forwarding profile for Arctic Wolf
- Step 4: Add your log forwarding profile to your outgoing north-south security policies
- Step 5: Enable benign and grayware sample logging for WildFire
- Step 6: Include email header information in WildFire logs and reports
- Step 7: Provide your Palo Alto Networks firewall information to Arctic Wolf
- See also
Configure a Palo Alto Networks firewall to send logs to Arctic Wolf
You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf® for security monitoring using firewall.
Requirements
- An activated Arctic Wolf Sensor
- Access to Palo Alto Networks console with administrator permissions
Steps
- Create a syslog server profile.
- Configure syslog forwarding for System, config, and HIP Match.
- Create a log forwarding profile for Arctic Wolf.
- Add your log forwarding profile to your outgoing north-south security policies.
- (Optional) Enable benign and grayware sample logging for WildFire
- (Optional) Include email header information in WildFire logs and reports
- Provide your Palo Alto Networks firewall information to Arctic Wolf.
Step 1: Create a syslog server profile
-
Sign in to the Palo Alto Networks console with administrator permissions.
-
Click the Device tab.
-
In the navigation menu, click Server Profiles > Syslog.
-
Click + Add.
-
In the New Server Profile dialog, in the Name field, enter a unique name for the syslog server. For example,
awn-mycompany1
. -
Click the Servers tab.
-
Click + Add.
A new row is added to the table.
-
In the new table row, configure these settings:
- Name — Enter a name for your Arctic Wolf physical or virtual sensor.
- Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
- Transport — Select UDP.
- Port — Enter
514
. - Format — Use the default format of BSD.
- Facility — Use the default format of LOG_USER.
-
Click OK.
Step 2: Configure syslog forwarding for System, Config, HIP Match, and Global Protect
-
Sign in to the Palo Alto Networks console with administrator permissions.
-
Click the Device tab.
-
In the navigation menu, click Log Settings.
-
In the System, Configuration, HIP Match, and (optional) Global Protect sections, complete these steps:
Note: Global Protect is only available if you have GlobalProtect.
-
Click + Add.
-
In the Log Settings Configuration dialog, configure these settings:
- Name — Enter a name for your log settings. For example,
System-FWD
. - Filter — Select All Logs.
- Forward Method — Select the Syslog method, and then click + Add and select your Arctic Wolf syslog profile.
- Name — Enter a name for your log settings. For example,
-
Click OK.
-
Step 3: Create a log forwarding profile for Arctic Wolf
Note: You can only have one log forwarding profile. If you already have a log forwarding profile, add the required log forwarding profile match list information to that profile.
-
Sign in to the Palo Alto Networks console with administrator permissions.
-
Click the Objects tab.
-
In the navigation menu, click Log Forwarding.
-
Click + Add.
-
In the Log Forwarding Profile dialog, in the Name field, enter a unique name for the profile. For example,
awn-lfp
.This name appears in the list of log forwarding profiles when defining security policies.
Note: The name is case-sensitive. Use only letters, numbers, spaces, hyphens, and underscores. Length is limited to 31 characters.
-
Create a log forwarding profile match list for each of these log types: data, traffic, threat, URL, auth, and wildfire:
Note: Wildfire logs are only required if you have WildFire.
-
Click + Add.
-
In the Log Forwarding Profile Match List dialog, for each log type, configure these settings:
-
Name — Enter a name for your match condition.
-
Description — Enter a description for your match condition.
-
Log Type — Select the required log type. For example, data.
-
Filter — Select All Logs.
-
Forward Method — Select the Syslog method, and then click + Add and select the syslog server profile that you created in Create a syslog server profile.
For example, your log forwarding profile match list for data log types will look similar to this:
-
-
Click OK.
-
Verify that you have a log forwarding profile for all necessary log types.
-
-
Click OK.
Step 4: Add your log forwarding profile to your outgoing north-south security policies
-
Sign in to the Palo Alto Networks console with administrator permissions.
-
Click the Policies tab.
-
In the navigation menu, click Security.
-
Select the policy that you want log forwarding applied for.
The Security Policy Rule dialog appears.
Note: For Arctic Wolf to receive logs, your security policy must have the Log at Session End option enabled and basic security profiles attached. See Create a Security Policy Rule for more information.
-
Click the Actions tab.
-
In the Log Forwarding list, select the required log forwarding profile.
-
Click OK.
The forwarding icon appears in the Options column of your security policy rule.
-
Click Commit.
Tip: Arctic Wolf recommends that you save a backup of your configuration. Click Device > Setup > Operations, and then click Save Named Configuration Snapshot to save it in a safe, encrypted location.
Step 5: Enable benign and grayware sample logging for WildFire
This step is optional. It is only required if you have WildFire.
- Sign in to the Palo Alto Networks console with administrator permissions.
- Click the Device tab.
- In the navigation menu, click Setup.
- Click the WildFire tab.
- In the General Settings section, click Edit.
- Select the Report Benign Files and Report Grayware Files checkboxes.
- Click OK.
Step 6: Include email header information in WildFire logs and reports
This step is optional. It is only required if you have WildFire.
-
Sign in to the Palo Alto Networks console with administrator permissions.
-
Click the Device tab.
-
In the navigation menu, click Setup.
-
Click the WildFire tab.
-
In the Session Information Settings section, click Edit.
-
Select these checkboxes:
- Email sender
- Email recipient
- Email subject
-
Click OK.
Step 7: Provide your Palo Alto Networks firewall information to Arctic Wolf
-
Sign in to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter
Syslog changes
. - Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
- Confirmation that you completed the steps in this configuration guide.
- The IP address or hostname you used during the configuration.
- Any questions or comments that you have.
-
Click Send Message.
Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.