Help Documentation

Managed Detection and Response

Palo Alto Networks Logs

Updated Nov 10, 2023

Configure a Palo Alto Networks firewall to send logs to Arctic Wolf

You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf® for security monitoring using firewall.

Requirements

Steps

  1. Create a syslog server profile.
  2. Configure syslog forwarding for System, config, and HIP Match.
  3. Create a log forwarding profile for Arctic Wolf.
  4. Add your log forwarding profile to your outgoing north-south security policies.
  5. (Optional) Enable benign and grayware sample logging for WildFire
  6. (Optional) Include email header information in WildFire logs and reports
  7. Provide your Palo Alto Networks firewall information to Arctic Wolf.

Step 1: Create a syslog server profile

  1. Sign in to the Palo Alto Networks console with administrator permissions.

  2. Click the Device tab.

  3. In the navigation menu, click Server Profiles > Syslog.

  4. Click + Add.

  5. In the New Server Profile dialog, in the Name field, enter a unique name for the syslog server. For example, awn-mycompany1.

  6. Click the Servers tab.

  7. Click + Add.

    A new row is added to the table.

  8. In the new table row, configure these settings:

    • Name — Enter a name for your Arctic Wolf physical or virtual sensor.
    • Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
    • Transport — Select UDP.
    • Port — Enter 514.
    • Format — Use the default format of BSD.
    • Facility — Use the default format of LOG_USER.

  9. Click OK.

Step 2: Configure syslog forwarding for System, Config, HIP Match, and Global Protect

  1. Sign in to the Palo Alto Networks console with administrator permissions.

  2. Click the Device tab.

  3. In the navigation menu, click Log Settings.

  4. In the System, Configuration, HIP Match, and (optional) Global Protect sections, complete these steps:

    Note: Global Protect is only available if you have GlobalProtect.

    1. Click + Add.

    2. In the Log Settings Configuration dialog, configure these settings:

      • Name — Enter a name for your log settings. For example, System-FWD.
      • Filter — Select All Logs.
      • Forward Method — Select the Syslog method, and then click + Add and select your Arctic Wolf syslog profile.

    3. Click OK.

Step 3: Create a log forwarding profile for Arctic Wolf

Note: You can only have one log forwarding profile. If you already have a log forwarding profile, add the required log forwarding profile match list information to that profile.

  1. Sign in to the Palo Alto Networks console with administrator permissions.

  2. Click the Objects tab.

  3. In the navigation menu, click Log Forwarding.

  4. Click + Add.

  5. In the Log Forwarding Profile dialog, in the Name field, enter a unique name for the profile. For example, awn-lfp.

    This name appears in the list of log forwarding profiles when defining security policies.

    Note: The name is case-sensitive. Use only letters, numbers, spaces, hyphens, and underscores. Length is limited to 31 characters.

  6. Create a log forwarding profile match list for each of these log types: data, traffic, threat, URL, auth, and wildfire:

    Note: Wildfire logs are only required if you have WildFire.

    1. Click + Add.

    2. In the Log Forwarding Profile Match List dialog, for each log type, configure these settings:

      • Name — Enter a name for your match condition.

      • Description — Enter a description for your match condition.

      • Log Type — Select the required log type. For example, data.

      • Filter — Select All Logs.

      • Forward Method — Select the Syslog method, and then click + Add and select the syslog server profile that you created in Create a syslog server profile.

        For example, your log forwarding profile match list for data log types will look similar to this: the Palo Alto Networks Log Forwarding Profile Match List dialog

    3. Click OK.

    4. Verify that you have a log forwarding profile for all necessary log types.

  7. Click OK.

Step 4: Add your log forwarding profile to your outgoing north-south security policies

  1. Sign in to the Palo Alto Networks console with administrator permissions.

  2. Click the Policies tab.

  3. In the navigation menu, click Security.

  4. Select the policy that you want log forwarding applied for.

    The Security Policy Rule dialog appears.

    Note: For Arctic Wolf to receive logs, your security policy must have the Log at Session End option enabled and basic security profiles attached. See Create a Security Policy Rule for more information.

  5. Click the Actions tab.

  6. In the Log Forwarding list, select the required log forwarding profile.

  7. Click OK.

    The forwarding icon appears in the Options column of your security policy rule.

  8. Click Commit.

    Tip: Arctic Wolf recommends that you save a backup of your configuration. Click Device > Setup > Operations, and then click Save Named Configuration Snapshot to save it in a safe, encrypted location.

Step 5: Enable benign and grayware sample logging for WildFire

This step is optional. It is only required if you have WildFire.

  1. Sign in to the Palo Alto Networks console with administrator permissions.
  2. Click the Device tab.
  3. In the navigation menu, click Setup.
  4. Click the WildFire tab.
  5. In the General Settings section, click Edit.
  6. Select the Report Benign Files and Report Grayware Files checkboxes.
  7. Click OK.

Step 6: Include email header information in WildFire logs and reports

This step is optional. It is only required if you have WildFire.

  1. Sign in to the Palo Alto Networks console with administrator permissions.

  2. Click the Device tab.

  3. In the navigation menu, click Setup.

  4. Click the WildFire tab.

  5. In the Session Information Settings section, click Edit.

  6. Select these checkboxes:

    • Email sender
    • Email recipient
    • Email subject

  7. Click OK.

Step 7: Provide your Palo Alto Networks firewall information to Arctic Wolf

  1. Sign in to the Arctic Wolf® Unified Portal.

  2. Click Help > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep blank.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Any questions or comments that you have.

  4. Click Send Message.

    Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also