Palo Alto

Firewalls are architected to safely enable applications and prevent modern threats. It identifies all network traffic based on applications, users, content and devices. The firewall(s) and another security device initiate and terminate VPN connections across the two networks. To set up the VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP address—static or dynamic—or FQDN. The VPN peers use preshared keys or certificates to mutually authenticate each other.

Before You Begin

You must configure log forwarding for Palo Alto in order to collect the logs. You can read directions on how to do so at: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding

How to Configure This Event Source in InsightIDR

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. Choose the timezone that matches the location of your event source logs.
6. Optionally choose to send unparsed logs.
7. Select an attribution source.
8. Configure your default domain and any Advanced Event Source Settings.
9. Select a collection method and specify a port and a protocol.
   • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
10. Click Save.

Attribution source options

Palo Alto product logs can contain information about hosts and accounts. When setting up Palo Alto as an event source, you will have the ability to specify the following attribution options:

1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

2. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

3. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

4. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Forward Palo Alto Traffic Logs to Syslog Server

You can learn about how to configure log forwarding in Palo Alto here:
https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Forward-traffic-logs-to-a-syslog-server/ta-p/71966.

Troubleshooting

If you are receiving firewall logs but not VPN logs, confirm that system logs are turned on and configured to forward to syslog. For more information, see https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/system-logs.html.

To configure log forwarding to syslog follow these steps:

1. Under the Device tab, navigate to Server Profiles > Syslog

2. Click Add to configure the log destination on the Palo Alto Network. You will need to enter the:
   • Name for the syslog server
   • Syslog server IP address
   • Port number (change the destination port to the port on which logs will be forwarded; it is UDP 514 by default)
   • Format (keep the default log format, BSD)
   • Facility
3. Click OK and your server profile will be created.

For more information, visit: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK