Help Documentation

Managed Detection and Response

Palo Alto Networks Logs

Updated Aug 31, 2023

Palo Alto Networks logs

You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf for monitoring security information using one of these methods:

Requirements

Configure a Palo Alto Networks firewall to send logs to Arctic Wolf

  1. Create a syslog server profile.
  2. Configure syslog forwarding for System, config, and HIP Match.
  3. Create a log forwarding profile for Arctic Wolf.
  4. Add your log forwarding profile to your outgoing north-south security policies.
  5. If you have WildFire, configure the following:
  6. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address you used during the configuration.
    • Any other questions or comments that you have.

Step 1: Create a syslog server profile

  1. Sign in to the Palo Alto Networks console as an administrator.

  2. Click the Device tab.

  3. In the navigation pane, click Server Profiles > Syslog.

  4. Click + Add.

  5. In the New Server Profile dialog box, in the Name field, enter a unique name for the syslog server.

    Tip: Arctic Wolf recommends a name that aligns with the Arctic Wolf Sensor name, such as awn-mycompany1.

  6. Click the Servers tab.

  7. Click + Add.

  8. In the new table row, do the following:

    • Name — Enter a descriptive name for your physical or virtual sensor.
    • Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
    • Transport — Select UDP from the list.
    • Port — Enter 514.
    • Format — Use the default format of BSD.
    • Facility — Use the default format of LOG_USER.

  9. Click OK.

Step 2: Configure syslog forwarding for System, Config, HIP Match, and Global Protect

  1. Sign in to the Palo Alto Networks console as an administrator.
  2. Click the Device tab.
  3. In the navigation pane, select Log Settings.
  4. In the System section, do the following:

    1. Click + Add.

    2. In the Log Settings Configuration dialog box, do the following:

      • Name — Enter a name for your log settings. For example, System-FWD.
      • Filter — Select All Logs from the list.
      • Forward Method — For the Syslog method, click + Add, and then select your Arctic Wolf syslog profile.

    3. Click OK.

  5. Repeat the previous step for the Configuration, HIP Match, and Global Protect sections.

    Note: Global Protect is only available if you have GlobalProtect.

Step 3: Create a log forwarding profile for Arctic Wolf

Note: You can only have one log forwarding profile. If you already have a log forwarding profile, add the required log forwarding profile match list information to that profile.

  1. Sign in to the Palo Alto Networks console as an administrator.

  2. Click the Objects tab.

  3. In the navigation pane, click Log Forwarding.

  4. Click + Add.

  5. In the Log Forwarding Profile dialog box, in the Name field, enter a unique name for the profile.

    This name appears in the list of log forwarding profiles when defining security policies.

    Note: The name is case-sensitive. Use only letters, numbers, spaces, hyphens, and underscores. Length is limited to 31 characters.

    Tip: Arctic Wolf recommends the profile name awn-lfp.

  6. Create a log forwarding profile match lists for each of these log types: data, traffic, threat, URL, auth, and wildfire:

    Note: wildfire logs are only required if you have WildFire.

    1. Click + Add.

    2. In the Log Forwarding Profile Match List dialog box, do the following:

      • Name — Enter a descriptive name for your match condition.
      • Description — Enter a description for your match condition.
      • Log Type — Select the required log type from the list. For example, data.
      • Filter — Select All Logs.
      • Forward Method — For the Syslog method, click + Add, and then select the syslog server profile that you created in Step 1.

      For example, your log forwarding profile match list for data log types will look similar to this: the Palo Alto Networks Log Forwarding Profile Match List dialog

    3. Click OK.

    4. Repeat these steps until all log types are added.

      Note: wildfire logs are only required if you have WildFire.

  7. Click OK.

Step 4: Add your log forwarding profile to your outgoing north-south security policies

  1. Sign in to the Palo Alto Networks console as an administrator.

  2. Click the Policies tab.

  3. In the navigation pane, select Security.

  4. Select the policy that you want log forwarding applied for.

    The Security Policy Rule dialog box appears. For Arctic Wolf to receive logs, your security policy must have the Log at Session End option enabled and basic security profiles attached. See Create a Security Policy Rule for additional information.

  5. Click the Actions tab.

  6. In the Log Forwarding list, select the required log forwarding profile.

  7. Click OK.

    The forwarding icon appears in the Options column of your security policy rule.

  8. Click Commit to save your policy rules to the running configuration of the firewall.

    Tip: Arctic Wolf recommends that you save a backup of your configuration. Click Device > Setup > Operations, and then click Save Named Configuration Snapshot to save it somewhere safe.

Enable benign and grayware sample logging for WildFire

  1. Sign in to the Palo Alto Networks console as an administrator.
  2. Click the Device tab.
  3. In the navigation pane, select Setup.
  4. Click the WildFire tab.
  5. In the General Settings section, click Edit.
  6. Select the Report Benign Files and Report Grayware Files checkboxes.
  7. Click OK.

Include email header information in WildFire logs and reports

When you include email header information in your logs and reports it can help you locate and remediate threats that are detected in emails.

  1. Sign in to the Palo Alto Networks console as an administrator.

  2. Click the Device tab.

  3. In the navigation pane, click Setup.

  4. Click the WildFire tab.

  5. In the Session Information Settings section, click Edit.

  6. Select the checkbox for the following options:

    • Email sender
    • Email recipient
    • Email subject

  7. Click OK.

Configure a Palo Alto Networks Panorama platform to send logs to Arctic Wolf

Note: Only use the procedure if you are already using Panorama as a central log collector. Depending on log settings, this configuration may cause limitations for alerting. Please discuss this configuration with your CST or Deployment representative for alternatives.

  1. Create a syslog server profile.
  2. Configure a managed Collector Group to forward firewall logs.
  3. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address you used during the configuration.
    • Any other questions or comments that you have.

Step 1: Create a syslog server profile

  1. Sign in to the Palo Alto Networks Panorama platform as an administrator.

  2. Click the PANORAMA tab.

  3. In the navigation pane, click Server Profiles > Syslog.

  4. Click + Add.

  5. In the New Server Profile dialog box, in the Name field, enter a unique name for the syslog server.

    Tip: Arctic Wolf recommends a name that aligns with the Arctic Wolf Sensor name, such as awn-mycompany1.

  6. Click the Servers tab.

  7. Click + Add.

  8. In the new table row, do the following:

    • Name — Enter a descriptive name for your physical or virtual sensor.
    • Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
    • Transport — Select UDP from the list.
    • Port — Enter 514.
    • Format — Use the default format of BSD.
    • Facility — Use the default format of LOG_USER.

  9. Click OK.

Step 2: Configure a managed Collector Group to forward firewall logs

  1. Sign in to the Palo Alto Networks Panorama platform as an administrator.

  2. Click the PANORAMA tab.

  3. In the navigation pane, click Collector Groups.

  4. Open your existing Collector Group that is receiving firewall logs.

  5. Click the Collector Log Forwarding tab.

  6. Create log settings for the following log types: System, Configuration, HIP-Match, Correlation Logs, Traffic, Data, Threat, Auth, URL, and Global Protect:

    1. Click + Add.

    2. In the Log Settings dialog box, do the following:

      • Name — Enter a descriptive name for your log setting profile.
      • Filter — Select All Logs.
      • Description — Enter a description for your log settings.
      • Forward Method — For the Syslog method, click + Add, and then select the syslog server profile that you created in Step 1.

    3. Click OK.

    4. Repeat these steps until all log settings are added.

      Note: Global Protect log settings are only required if you have GlobalProtect.

  7. Click OK.

See also