Palo Alto Networks Logs
Updated Nov 10, 2023Configure a Palo Alto Networks Panorama platform to send logs to Arctic Wolf
You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf® for security monitoring using Panorama platform.
Note: Only complete these steps if you are already using Panorama as a central log collector. Depending on log settings, this configuration can cause limitations for alerting. Contact your Concierge Security® Team to discuss other log forwarding options.
Requirements
- An activated Arctic Wolf Sensor
- Access to Palo Alto Networks console with administrator permissions
Steps
- Create a syslog server profile.
- Configure a managed Collector Group to forward firewall logs.
- Provide your Palo Alto Networks Panorama information to Arctic Wolf.
Step 1: Create a syslog server profile
-
Sign in to the Palo Alto Networks Panorama platform with administrator permissions.
-
Click the PANORAMA tab.
-
In the navigation menu, click Server Profiles > Syslog.
-
Click + Add.
-
In the New Server Profile dialog, in the Name field, enter a unique name for the syslog server. For example,
awn-mycompany1
. -
Click the Servers tab.
-
Click + Add.
A new row is added to the table.
-
In the new table row, configure these settings:
- Name — Enter a name for your Arctic Wolf physical or virtual sensor.
- Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
- Transport — Select UDP.
- Port — Enter
514
. - Format — Use the default format of BSD.
- Facility — Use the default format of LOG_USER.
-
Click OK.
Step 2: Configure a managed Collector Group to forward firewall logs
-
Sign in to the Palo Alto Networks Panorama platform with administrator permissions.
-
Click the PANORAMA tab.
-
In the navigation menu, click Collector Groups.
-
Open your existing Collector Group that is receiving firewall logs.
-
Click the Collector Log Forwarding tab.
-
Create a log forwarding profile match list for each of these log types: System, Configuration, HIP-Match, Correlation Logs, Traffic, Data, Threat, Auth, URL, and Global Protect
Note: Global Protect log settings are only required if you have GlobalProtect.
-
Click + Add.
-
In the Log Settings dialog, for each log type, configure these settings:
- Name — Enter a descriptive name for your log setting profile.
- Filter — Select All Logs.
- Description — Enter a description for your log settings.
- Forward Method — Select the Syslog method, and then click + Add and select the syslog server profile that you created in Create a syslog server profile.
-
Click OK.
-
Verify that you have a log forwarding profile for all necessary log types.
-
-
Click OK.
Step 3: Provide your Palo Alto Networks Panorama information to Arctic Wolf
-
Sign in to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter
Syslog changes
. - Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
- Confirmation that you completed the steps in this configuration guide.
- The IP address or hostname you used during the configuration.
- Any questions or comments that you have.
-
Click Send Message.
Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.