Adding Palo Alto Firewall/UTM via Syslog
You can be one step ahead in performance and time by forwarding logs generated in Palo Alto Firewall or Integrated Security Device (UTM) products to Logsign Unified SecOps Platform. Logsign Unified SecOps Platform is fully-integrated to Palo Alto Firewall or Integrated Security Devices.
The product makes the data understandable after configuring their architecture with the high-resolution graphical tables, thanks to its user-friendly WEB interface to system administrators without log loss.
Let's see how you can direct Palo Alto's logs to Logsign Unified SecOps Platform .
Please note that: Configurations are done on Palo Alto VM-100 PA-VM-ESX-6.1.0
First, write the Palo Alto product's IP address in the WEB browser. Then you will be redirected to the Dashboard page by default after entering your user information. We click on the Device tab to the right of the Dashboard tab. We click on the Syslog tab under the Server Profiles heading in the menu bar on the left side of the page. Afterward, add the Syslog server to which we will direct the logs by clicking the Add button below the page on the right.
In the pop-up window titled Syslog Server Profile, you will come up with the fields you need to fill up:
The name will be created at the top of the Syslog Server Profile (no need to specify a specific name). Then located under the Servers tab:
Name: The name of the Syslog Server to which the logs are directed can be given.
Syslog Server: IP address of the Logsign Unified SecOps Platform product to which logs will be forwarded.
Transport: This section describes how the logs will be forwarded. Because UDP is the method used by the Logsign Unified SecOps Platform, choose the UDP option by default.
Port: Port information to which logs will be forwarded. By default, we choose 514.
Format: In this section, you will determine in which format the logs will be forwarded. The BSD format is an option that works with UDP and is also preferred by the Logsign Unified SecOps Platform. Logsign Unified SecOps Platform has chosen this method by observing that logs are more meaningful and regular with the BSD format. IETF format sends logs via TCP or SSL method. Since Logsign Unified SecOps Platform works with the generally known BSD format, we will leave this setting as BSD.
Facility: You'll choose the variety of logs that you want from the Palo Alto product. In terms of definition, it can also be described as Syslog Message Code. Leave the LOG_USER option, selected by default, as it is a generic definition.
After doing the settings, click OK to sort the Settings to save. Your next step will be to select the Syslog Server Profile that we created for forwarding the logs.
Click the Objects tab to the left of the Device tab.
Then, in the menu bar on the left of the page, click Log Forwarding under the Security Profile Groups heading.
In the same way, you'll perform log forwarding operations by clicking Add button below the page. On the opening page titled Log Forwarding Profile, create a profile name to the Name section (For ex. SyslogFrwrd).
Then select the log types from your Palo Alto product that you want to direct. Select the Syslog Profile you created by clicking on the None button in the Syslog column opposite the Any line under the Traffic Settings heading. The exact process is done for Critical, High, Informational, Low, and Medium under the Threat Settings heading. Also, if you are using WildFire on your Palo Alto product, you can do the same for the Benign and Malicious lines. After making the settings, use the OK button to queue for saving the configurations.
After this process, click the Policies tab in the Dashboard, ACC, Monitor, Policies, Objects, Network, and Device tabs above the page. You'll redirect the Security Rules you have created to your organization's needs to the Syslog Profile. Click on the previously created Security Rule located under the Name column, and a window will appear titled Security Policy Rule.
Click on the Actions tab. After marking the Log at Session Start and Log at Session End boxes under the Log Setting heading, select the Syslog Profile you created as Log Forwarding.
Click on the OK button to set the settings to be saved.
Click on the Commit button in the upper right corner of the interface to save and apply the done processes.
A small window will pop up a page to see that you have saved your settings after clicking on the OK button.
If you see Configuration committed successfully in the Details section, you can understand that the actions that you've made are saved and applied. Close the windows with the OK button.
Once you've finished configuring Palo Alto, see how to add a source to the Logsign Unified SecOps Platform.
Open Logsign Unified SecOps Platform web interface. Then click on the Settings- Data Collection tab. Click on the "+ Device" button. Because it is a network-based device, you'll receive logs by the Syslog method. Syslog is selected.
In the Vendor section, you will determine the brand information of the device/product that you are adding. Select the Palo Alto. You'll make configurations with the source that you'll add to the opening page.
Host: IP address information of the Palo Alto product that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is set in minutes.
Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. Our default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick the box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration you are making (For ex., PaloFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as palo1 or palo2. If you want to query an event, you will get a shorter result when searching according to palo1 name.
To save the configurations and add source, terminate the operations with the Save button.