Syslog Configuration for Palo Alto Networks

Configuration Guide

Overview Direct link to this section

This document describes how to configure Syslog for Arctic Wolf® monitoring on a Palo Alto device.

Setting up a basic security policy Direct link to this section

To set up a basic security policy:

See Set Up a Basic Security Policy on the Palo Alto website for more information.

  1. Sign in to the Admin interface on the Palo Alto device.
  2. Select the Policies tab, and then navigate to Security.
  3. Select Add, and then enter a name in the Name field under the General tab.
  4. Navigate to the Source tab, and then set Source Zone to Users.
  5. Navigate to the Destination tab, and then set Destination Zone to IT infrastructure.
  6. Navigate to the Applications tab, and then select all of the applications that correspond to the network services that you want to enable.
  7. Select Add.
  8. Navigate to the Service/URL Category tab, and confirm that application-default is selected.
  9. Navigate to the Actions tab, and then set Action Setting to Allow.
  10. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:
    • Antivirus — default
    • Vulnerability Protection — strict
    • Anti-Spyware — strict
    • URL Filtering — default
    • File Blocking — basic file blocking
    • WildFire Analysis — default
  11. Ensure that Log at Session End is enabled.
  12. Select Ok.

Adding the syslog server profile Direct link to this section

To add the new syslog server profile:

  1. Sign in to the Admin interface on the Palo Alto device.

  2. Select the Device tab.

  3. In the navigation pane, select Server Profiles > Syslog.

  4. Click Add to open the New Server Profile dialog box.

  5. In the dialog box, enter the name of the Syslog server in the Name field.

    Tip: Arctic Wolf recommends a name that aligns with the Arctic Wolf Sensor name, such as awn-mycompany1.

  6. Enter the management IP address that is assigned to the Sensor.

  7. Select UDP and port 514.

  8. Use the default format, BSD, and facility, LOG_USER.

Adding the log forwarding profile Direct link to this section

To add the new log forwarding profile:

  1. In the Admin interface of the Palo Alto device, select the Objects tab.

  2. In the navigation pane, select Log Fowarding.

  3. Click Add to open the Log Forwarding Profile dialog box.

  4. Under Name, enter a profile name, up to 31 characters. This name appears in the list of log forwarding profiles when defining security policies.

    Note: Make the name case-sensitive and unique. Use only letters, numbers, spaces, hyphens, and underscores.

    Tip: Arctic Wolf recommends the profile name awn-lfp.

  5. Under Profile Match List, add profiles to forward log types:

    1. Select Add, and then enter a name in the Name field.
    2. Select a Log Type from the list, such as data and select the All Logs fiter.
    3. Under Syslog, select the syslog server profile that you created in Adding the syslog server profile.
    4. Click OK to confirm your configuration.

This creates your log forwarding.

Configuring the logging policy Direct link to this section

To configure the logging policy:

  1. In the Admin interface of the Palo Alto device, select the Policies tab.

  2. In the navigation pane, select Security.

  3. Select the policy that you want log forwarding applied for. This opens a dialog box.

    For Arctic Wolf to receive logs, the selected policy must have the Log at Session End option enabled and basic security profiles attached, as described in Setting up a basic security policy.

  4. In the dialog box, select the Actions tab and then select the previously-defined log forwarding profile from the Log Forwarding list.

  5. Select Ok . The forwarding icon appears in the Options column of your security policy rule.

  6. Select Commit to save your policy rules to the running configuration of the firewall.

    Tip: Arctic Wolf recommends that you perform a backup of your configuration. Select Device > Setup > Operations, and then select Save Named Configuration Snapshot to save it somewhere safe.

Configuring zone protection logging Direct link to this section

If you have an existing log forwarding profile, Arctic Wolf recommends that you allow Arctic Wolf IP addresses in that profile to prevent interference with existing configurations. To configure zone protection logging:

  1. In the Admin interface of the Palo Alto device, select the Network tab.

  2. In the navigation pane, select Zones.

  3. Click Add to open the Zone Protection Profile.

  4. In the dialog box, enter a name for the profile.

  5. In the Reconnaissance Protection tab, select Enable for TCP Port Scan, Host Sweep, and UDP Port Scan.

  6. Click Add in the Source Address Exclusion section, and add a new Source Address Exclusion for Arctic Wolf IP addresses.

    Tip: To see a complete list of IP addresses that you must AllowList, go to the Arctic Wolf Portal, click on your organization name, and select Arctic Wolf IP Addresses. The IP addresses that must be AllowListed are listed under Managed Risk External Vulnerability Assessment Scanning.

  7. Click OK to save your changes.

Configuring syslog forwarding for System, Config, HIP Match, and Correlation logs Direct link to this section

  1. In the Admin interface of the Palo Alto device, select the Device tab.
  2. In the navigation pane, select Log Settings.
  3. To configure forwarding for System logs:
    1. In the System section, select informational under the Severity column to open the Log Settings - System dialog box.
    2. In the Syslog list, select the syslog server profile that you created in Adding the syslog server profile.
    3. Click OK to confirm your configuration.
  4. To configure forwarding for Config, HIP Match, and Correlation logs, complete these steps for each log section:
    1. In the relevant log section, click the gear icon on the top-right corner of the section to open the section dialog box.
    2. In the Syslog list, select the syslog server profile that you created in Adding the syslog server profile.
    3. Click OK to confirm your configuration.

WildFire specific configurations Direct link to this section

The following sections contain configuration steps for WildFire logging.

Enabling benign and grayware sample logging — WildFire only Direct link to this section

To enable benign and grayware sample logging for WildFire events:

  1. In the Admin interface of the Palo Alto device, select the Device tab.
  2. In the navigation pane, select Setup > WildFire > Edit General Settings.
  3. In the dialog box, select Report Benign Files and/or select Report Grayware Files.
  4. Click OK to save.

Including email header information in WildFire logs and reports — WildFire only Direct link to this section

To include email header information in WildFire logs and reports:

  1. In the Admin interface of the Palo Alto device, select the Device tab.
  2. In the navigation pane, select Setup > WildFire > Edit Session Information Settings.
  3. Enable one or more of these options:
    • Email sender
    • Email recipient
    • Email subject
  4. Click OK to save.