Palo Alto Networks® Logs

Palo Alto Networks® logs Direct link to this section

You can configure a Palo Alto Networks® device to send the necessary logs to Arctic Wolf for monitoring security information using one of these methods:

• Configure a Palo Alto Networks® firewall to send logs to Arctic Wolf
• Configure a Palo Alto Networks® Panorama™ platform to send logs to Arctic Wolf

  Note: Only use this method if you are currently sending all logs to a Panorama™ server because it could overwhelm the Panorama™ server with logs.

Configure a Palo Alto Networks® firewall to send logs to Arctic Wolf Direct link to this section

1. Create a syslog server profile.
2. Configure syslog forwarding for System, config, and HIP Match.
3. Create a log forwarding profile for Arctic Wolf.
4. Add your log forwarding profile to your outgoing north-south security policies.
5. If you have WildFire®, configure the following:
   • Enable benign and grayware sample logging for WildFire®
   • Include email header information in WildFire® logs and reports
6. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address you used during the configuration.
   • Any other questions or comments that you have.

Step 1: Create a syslog server profile Direct link to this section

1. Sign in to the Palo Alto Networks® console as an administrator.

2. Click the Device tab.

3. In the navigation pane, click Server Profiles > Syslog.

4. Click + Add.

5. In the New Server Profile dialog box, in the Name field, enter a unique name for the syslog server.

   Tip: Arctic Wolf recommends a name that aligns with the Arctic Wolf Sensor name, such as awn-mycompany1.

6. Click the Servers tab.

7. Click + Add.

8. In the new table row, do the following:

   • Name — Enter a descriptive name for your physical or virtual sensor.
   • Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
   • Transport — Select UDP from the list.
   • Port — Enter 514.
   • Format — Use the default format of BSD.
   • Facility — Use the default format of LOG_USER.

9. Click OK.

Step 2: Configure syslog forwarding for System, Config, HIP Match, and Global Protect Direct link to this section

1. Sign in to the Palo Alto Networks® console as an administrator.
2. Click the Device tab.
3. In the navigation pane, select Log Settings.
4. In the System section, do the following:

   1. Click + Add.

   2. In the Log Settings Configuration dialog box, do the following:

      • Name — Enter a name for your log settings. For example, System-FWD.
      • Filter — Select All Logs from the list.
      • Forward Method — For the Syslog method, click + Add, and then select your Arctic Wolf syslog profile.

   3. Click OK.

5. Repeat the previous step for the Configuration, HIP Match, and Global Protect sections.

   Note: Global Protect is only available if you have GlobalProtect.

Step 3: Create a log forwarding profile for Arctic Wolf Direct link to this section

1. Sign in to the Palo Alto Networks® console as an administrator.

2. Click the Objects tab.

3. In the navigation pane, click Log Forwarding.

4. Click + Add.

5. In the Log Forwarding Profile dialog box, in the Name field, enter a unique name for the profile.

   This name appears in the list of log forwarding profiles when defining security policies.

   Note: The name is case-sensitive. Use only letters, numbers, spaces, hyphens, and underscores. Length is limited to 31 characters.

   Tip: Arctic Wolf recommends the profile name awn-lfp.

6. Create a log forwarding profile match lists for each of these log types: data, traffic, threat, URL, auth, and wildfire:

   Note: wildfire logs are only required if you have WildFire®.

   1. Click + Add.

   2. In the Log Forwarding Profile Match List dialog box, do the following:

      • Name — Enter a descriptive name for your match condition.
      • Description — Enter a description for your match condition.
      • Log Type — Select the required log type from the list. For example, data.
      • Filter — Select All Logs.
      • Forward Method — For the Syslog method, click + Add, and then select the syslog server profile that you created in Step 1.

   3. Click OK.

   4. Repeat these steps until all log types are added.

      Note: wildfire logs are only required if you have WildFire®.

7. Click OK.

Step 4: Add your log forwarding profile to your outgoing north-south security policies Direct link to this section

1. Sign in to the Palo Alto Networks® console as an administrator.

2. Click the Policies tab.

3. In the navigation pane, select Security.

4. Select the policy that you want log forwarding applied for.

   The Security Policy Rule dialog box appears. For Arctic Wolf to receive logs, your security policy must have the Log at Session End option enabled and basic security profiles attached. See Create a Security Policy Rule for additional information.

5. Click the Actions tab.

6. In the Log Forwarding list, select the required log forwarding profile.

7. Click OK.

   The forwarding icon appears in the Options column of your security policy rule.

8. Click Commit to save your policy rules to the running configuration of the firewall.

   Tip: Arctic Wolf recommends that you save a backup of your configuration. Click Device > Setup > Operations, and then click Save Named Configuration Snapshot to save it somewhere safe.

Enable benign and grayware sample logging for WildFire® Direct link to this section

1. Sign in to the Palo Alto Networks® console as an administrator.
2. Click the Device tab.
3. In the navigation pane, select Setup.
4. Click the WildFire tab.
5. In the General Settings section, click Edit.
6. Select the Report Benign Files and Report Grayware Files checkboxes.
7. Click OK.

Include email header information in WildFire® logs and reports Direct link to this section

When you include email header information in your logs and reports it can help you locate and remediate threats that are detected in emails.

1. Sign in to the Palo Alto Networks® console as an administrator.

2. Click the Device tab.

3. In the navigation pane, click Setup.

4. Click the WildFire tab.

5. In the Session Information Settings section, click Edit.

6. Select the checkbox for the following options:

   • Email sender
   • Email recipient
   • Email subject

7. Click OK.

Configure a Palo Alto Networks® Panorama™ platform to send logs to Arctic Wolf Direct link to this section

Note: Only use the procedure if you are already using Panorama™ as a central log collector. Depending on log settings, this configuration may cause limitations for alerting. Please discuss this configuration with your CST or Deployment representative for alternatives.

1. Create a syslog server profile.
2. Configure a managed Collector Group to forward firewall logs.
3. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address you used during the configuration.
   • Any other questions or comments that you have.

Step 1: Create a syslog server profile Direct link to this section

1. Sign in to the Palo Alto Networks® Panorama™ platform as an administrator.

2. Click the PANORAMA tab.

3. In the navigation pane, click Server Profiles > Syslog.

4. Click + Add.

5. In the New Server Profile dialog box, in the Name field, enter a unique name for the syslog server.

   Tip: Arctic Wolf recommends a name that aligns with the Arctic Wolf Sensor name, such as awn-mycompany1.

6. Click the Servers tab.

7. Click + Add.

8. In the new table row, do the following:

   • Name — Enter a descriptive name for your physical or virtual sensor.
   • Syslog Server — Enter the IP address of your Arctic Wolf physical or virtual sensor.
   • Transport — Select UDP from the list.
   • Port — Enter 514.
   • Format — Use the default format of BSD.
   • Facility — Use the default format of LOG_USER.

9. Click OK.

Step 2: Configure a managed Collector Group to forward firewall logs Direct link to this section

1. Sign in to the Palo Alto Networks® Panorama™ platform as an administrator.

2. Click the PANORAMA tab.

3. In the navigation pane, click Collector Groups.

4. Open your existing Collector Group that is receiving firewall logs.

5. Click the Collector Log Forwarding tab.

6. Create log settings for the following log types: System, Configuration, HIP-Match, Correlation Logs, Traffic, Data, Threat, Auth, URL, and Global Protect:

   1. Click + Add.

   2. In the Log Settings dialog box, do the following:

      • Name — Enter a descriptive name for your log setting profile.
      • Filter — Select All Logs.
      • Description — Enter a description for your log settings.
      • Forward Method — For the Syslog method, click + Add, and then select the syslog server profile that you created in Step 1.

   3. Click OK.

   4. Repeat these steps until all log settings are added.

      Note: Global Protect log settings are only required if you have GlobalProtect.

7. Click OK.

See also Direct link to this section

• Palo Alto Networks® — Configure Log Forwarding from Panorama™ to External Destinations
• Palo Alto Networks® — Enable Logging for Benign and Grayware Samples
• Palo Alto Networks® — Include Email Header Information in WildFire® Logs and Reports