Syslog Configuration for Palo Alto Networks

Configuration Guide

Overview

This document describes how to configure Syslog for Arctic Wolf® monitoring on a Palo Alto device.

Adding the syslog server profile

To add the new syslog server profile:

  1. Sign in to the Admin interface on the Palo Alto device.

  2. Select the Device tab.

  3. In the navigation pane, select Server Profiles > Syslog.

  4. Click Add to open the New Server Profile dialog box.

  5. In the dialog box, enter the name of the Syslog server in the Name field.

    Tip: We recommend a name that aligns to the Arctic Wolf Sensor name, such as awn-mycompany1.

  6. Enter the management IP address that is assigned to the Sensor.

  7. Select UDP and port 514.

  8. Use the default format, BSD, and facility, LOG_USER.

Adding the log forwarding profile

To add the new log forwarding profile:

  1. In the Admin interface of the Palo Alto device, select the Objects tab.

  2. In the navigation pane, select Log Fowarding.

  3. Click Add to open the Log Forwarding Profile dialog box.

  4. Under Name, enter a profile name, up to 31 characters. This name appears in the list of log forwarding profiles when defining security policies.

    Note: Make the name case-sensitive and unique. Use only letters, numbers, spaces, hyphens, and underscores.

    Tip: We recommend naming the profile awn-lfp.

  5. Under Profile Match List, add profiles to forward log types:

    1. Select Add, and then enter a name in the Name field.

    2. Select a Log Type from the list, such as data and select the All Logs fiter.

    3. Under Syslog, select the syslog server profile that you created in Adding the syslog server profile.

    4. Click OK to confirm your configuration.

This creates your log forwarding.

Configuring the logging policy

To configure the logging policy:

  1. In the Admin interface of the Palo Alto device, select the Policies tab.

  2. In the navigation pane, select Security.

  3. Select the policy that you want log forwarding applied for. This opens a dialog box.

  4. In the dialog box, select the Actions tab and then select the previously-defined log forwarding profile from the Log Forwarding list.

  5. Click Ok to save the security policy rule. The forwarding icon appears in the Options column of your security policy rule.

    Note: Remember to commit your changes.

    Tip: Arctic Wolf recommends that you perform a backup of your configuration. Select Device > Setup > Operations, and then select Save Named Configuration Snapshot to save it somewhere safe.

Configuring zone protection logging

If you have an existing log forwarding profile, we recommend allowing Arctic Wolf IP addresses in that profile to prevent interference with existing configurations. To configure zone protection logging:

  1. In the Admin interface of the Palo Alto device, select the Network tab.

  2. In the navigation pane, select Zones.

  3. Click Add to open the Zone Protection Profile.

  4. In the dialog box, enter a name for the profile.

  5. In the Reconnaissance Protection tab, select Enable for TCP Port Scan, Host Sweep, and UDP Port Scan.

  6. Click Add in the Source Address Exclusion section, and add a new Source Address Exclusion for Arctic Wolf IP addresses.

    Tip: See the Managed Risk External Vulnerability Assessment Scanning section of the Arctic Wolf IP Addresses for a complete list of IP addresses that you need to AllowList.

  7. Click OK to save your changes.

WildFire specific configurations

The following sections contain configuration steps for WildFire logging.

Enabling benign and grayware sample logging — WildFire only

To enable benign and grayware sample logging for WildFire events:

  1. In the Admin interface of the Palo Alto device, select the Device tab.

  2. In the navigation pane, select Setup > WildFire > Edit General Settings.

  3. In the dialog box, select Report Benign Files and/or select Report Grayware Files.

  4. Click OK to save.

Including email header information in WildFire logs and reports — WildFire only

To include email header information in WildFire logs and reports:

  1. In the Admin interface of the Palo Alto device, select the Device tab.

  2. In the navigation pane, select Setup > WildFire > Edit Session Information Settings.

  3. Enable one or more of these options:

    • Email sender
    • Email recipient
    • Email subject
  4. Click OK to save.