Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Palo Alto Networks PA Series

 

Use the JSA DSM for Palo Alto PA Series to collect events from Palo Alto PA Series devices.

To send events from Palo Alto PA Series to JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent version of the Palo Alto PA Series DSM RPM from the https://www.juniper.net/support/.

  2. Configure your Palo Alto PA Series device to communicate with JSA. You must create a syslog destination and forwarding policy on the Palo Alto PA Series device.

  3. If JSA does not automatically detect Palo Alto PA Series as a log source, create a Palo Alto PA Series log source on the JSA Console. Use the following Palo Alto values to configure the log source parameters:

    Parameter

    Description

    Log Source Identifier

    The IP address or host name of the Palo Alto PA Series device.

    Log Source Type

    Palo Alto PA Series

    Protocol Configuration

    Syslog

Palo Alto PA DSM Specifications

The following table identifies the specifications for the Palo Alto PA Series DSM:

Table 1: DSM Specifications for Palo Alto PA Series

Specification

Value

Manufacturer

Palo Alto Networks

DSM name

Palo Alto PA Series

RPM file name

DSM-PaloAltoPaSeries-JSA_version-build_number.noarch.rpm

Supported versions

PAN-OS v3.0 to v8.0

Event format

LEEF for PAN-OS v3.0 to v8.0

CEF for PAN-OS v4.0 to v6.1

JSA recorded log types

Traffic

Threat

Config

System

HIP Match

Data

WildFire

Authentication

Tunnel Inspection

Correlation

URL Filtering

User-ID

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

Palo Alto Networks website (http://www.paloaltonetworks.com)

Creating a Syslog Destination on Your Palo Alto PA Series Device

To send Palo Alto PA Series events to JSA, create a syslog destination on the Palo Alto PA Series device.

  1. Log in to the Palo Alto Networks interface.
  2. Click the Device tab.
  3. Click Server Profiles > Syslog.
  4. Click Add.
  5. Create a syslog destination:
    1. In the Syslog Server Profile dialog box, click Add.

    2. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server.

    3. Click OK.

  6. Configure LEEF events: NotePalo Alto can only send one format to all Syslog devices. By modifying the Syslog format, any other device that requires Syslog will be required to support that same format.Tip

    If you are using Syslog, set the Custom Format column to Default for all Log Types. If you are using LEEF, use the following substeps:

    Note

    The line breaks in these examples will cause this configuration to fail. For each of the substeps, copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.

    1. Click the Custom Log Format tab in the Syslog Server Profile dialogue.

      Note

      Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.

    2. Click Config, copy the following text and paste it in the Config Log Format column for the Config log type.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$result|cat=$type|usrName =$admin|src=$host|devTime=$cef-formatted-receive_time|client=$client|sequence= $seqno|serial=$serial|msg=$cmd

      • PAN-OS v7.1 - v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version |$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef -formatted-receive_time|src=$host|VirtualSystem=$vsys|msg=$cmd|usrName=$admin| client=$client|Result=$result|ConfigurationPath=$path|sequence=$seqno|ActionFlags =$actionflags|BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after- change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_ hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_ hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

    3. Click System, copy the following text and paste it in the System Log Format column for the System log type.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$eventid |cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|sev=$severity| Severity=$number-of-severity|msg=$opaque|Filename=$object

      • PAN-OS v7.1 - v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version |$eventid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype |devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|Filename=$object|Module= $module|sev=$number-of-severity|Severity=$severity|msg=$opaque|sequence=$seqno| ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2 =$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_ hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

    4. Click Threat, copy the following text and paste it in the Threat Log Format column for the Threat log type.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$threatid|cat=$type |Subtype=$subtype|src=$src|dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto |usrName=$srcuser|SerialNumber=$serial|srcPostNAT=$natsrc|dstPostNAT=$natdst |RuleName=$rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app |VirtualSystem=$vsys|SourceZone=$fromDestinationZone=$to|IngressInterface=$inbound_if |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid |RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport |Flags=$flags|URLCategory=$category|sev=$severity|Severity=$number-of-severity |Direction=$direction|ContentType=$contenttype|action=$action|Miscellaneous=$misc

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$threatid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type |Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT =$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort =$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags= $flags|proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid| URLCategory=$category|sev=$number-of-severity|Severity=$severity|Direction=$ direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc |DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest =$filedigest|Cloud=$cloud|URLIndex=$url_idx|UserAgent=$user_agent|FileType= $filetype|identSrc=$xff|Referer=$referer|Sender=$sender|Subject=$subject|Recipient =$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver

    5. Click Traffic, copy the following text and paste it in the Traffic Log Format column for the Traffic log type.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$action|cat=$type|src=$src |dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto|usrName=$srcuser| SerialNumber= $serial|Type=$type|Subtype=$subtype|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName= $rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app| VirtualSystem= $vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid| RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags |totalBytes=$bytes|totalPackets=$packets|ElapsedTime=$elapsed|URLCategory=$category |dstBytes=$bytes_received|srcBytes=$bytes_sent|action=$action

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$action|cat=$type|ReceiveTime=$receive_time|SerialNumber=$serial|Type= $type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser= $srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone =$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound _if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt| srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport| Flags=$flags|proto=$proto|action=$action|totalBytes=$bytes|dstBytes=$bytes_received |srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start|ElapsedTime=$elapsed| URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags|SourceLocation= $srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_ sent|SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1 |DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| ActionSource=$action_source

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|cat=$type| ReceiveTime=$receive_time|SerialNumber=$serial|Type=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| totalBytes=$bytes|dstBytes=$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start| ElapsedTime=$elapsed|URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags| SourceLocation=$srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_sent| SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| ActionSource=$action_source|SrcUUID=$src_uuid|DstUUID=$dst_uuid|TunnelID=$tunnelid| MonitorTag=$monitortag|ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time| TunnelType=$tunnel

    6. Click HIP Match, copy the following text and paste it in the Custom Format column for the HIP Match log type. Omit this step is you are using PAN-OS v3.0 - v6.1.

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$matchname|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type |Subtype=$subtype|devTime=$cef-formatted-receive_time|usrName=$srcuser| VirtualSystem=$vsys|identHostName=$machinename|OS=$os|identSrc=$src|HIP=$matchname |RepeatCount=$repeatcnt|HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags |DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$matchname| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|usrName=$srcuser|VirtualSystem=$vsys|identHostName=$machinename|OS=$os|identsrc=$src| HIP=$matchname|RepeatCount=$repeatcnt|HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|VirtualSystemID=$vsys_id|srcipv6=$srcipv6| startTime=$cef-formatted-time_generated

    7. Copy the following text and paste it in the Custom Format column for the URL Filtering log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|UserAgent=$user_agent|identSrc=$xff| Referer=$referer|Subject=$subject|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| SrcUUID=$src_uuid|DstUUID=$dst_uuid|TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel| ThreatCategory=$thr_category|ContentVer=$contentver

    8. Copy the following text and paste it in the Custom Format column for the Data log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver

    9. Copy the following text and paste it in the Custom Format column for the Wildfire log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|FileType=$filetype|Sender=$sender| Subject=$subject|Recipient=$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| SrcUUID=$src_uuid|DstUUID=$dst_uuid|TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel| ThreatCategory=$thr_category|ContentVer=$contentver

    10. Copy the following text and paste it in the Custom Format column for the Authentication log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$event| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|ServerProfile=$serverprofile|LogForwardingProfile=$logset|VirtualSystem=$vsys| AuthPolicy=$authpolicy|ClientType=$clienttype|NormalizeUser=$normalize_user|ObjectName=$object| FactorNumber=$factorno|AuthenticationID=$authid|src=$ip|RepeatCount=$repeatcnt|usrName=$user| Vendor=$vendor|msg=$event|sequence=$seqno|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| AdditionalAuthInfo=$desc|ActionFlags=$actionflags

    11. Copy the following text and paste it in the Custom Format column for the User-ID log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$subtype| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|FactorType=$factortype|VirtualSystem=$vsys|DataSourceName=$datasourcename| DataSource=$datasource|DataSourceType=$datasourcetype|FactorNumber=$factorno|VirtualSystemID=$vsys_id| TimeoutThreshold=$timeout|src=$ip|srcPort=$beginport|dstPort=$endport|RepeatCount=$repeatcnt| usrName=$user|sequence=$seqno|EventID=$eventid|FactorCompletionTime=$factorcompletiontime| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|ActionFlags=$actionflags

    12. Copy the following text and paste it in the Custom Format column for the Tunnel Inspection log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|totalBytes=$bytes|dstBytes=$bytes_received| srcBytes=$bytes_sent|totalPackets=$packets|dstPackets=$pkts_received|srcPackets=$pkts_sent| MaximumEncapsulation=$max_encap|UnknownProtocol=$unknown_proto|StrictChecking=$strict_check| TunnelFragment=$tunnel_fragment|SessionsCreated=$sessions_created|SessionsClosed=$sessions_closed| SessionEndReason=$session_end_reason|ActionSource=$action_source|startTime=$start|ElapsedTime=$elapsed

    13. Copy the following text and paste it in the Custom Format column for the Correlation log type.

      • PAN-OS v8.0--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|8.0|$category|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|startTime=$cef-formatted-time_ generated|Severity=$severity|VirtualSystem=$vsys|VirtualSystemID=$vsys_id|src=$src| SourceUser=$srcuser|msg=$evidence|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| ObjectName=$object_name|ObjectID=$object_id

  7. Click OK.
  8. Specify the severity of events that are contained in the syslog messages.
    1. Click Log Setting > System and then click Edit.

    2. Select the check box for each event severity level that you want contained in the syslog message.

    3. Type the name of the syslog destination.

    4. Click OK.

  9. Click the Device tab and then click Commit.

To allow communication between your Palo Alto Networks device and JSA, create a forwarding policy. See Creating a forwarding policy on your Palo Alto PA Series device.

Creating a Forwarding Policy on Your Palo Alto PA Series Device

If your JSA Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.

  1. Log in to Palo Alto Networks.
  2. On the dashboard, click the Policies tab.
  3. Click Policies > Policy Based Forwarding.
  4. Click Add.
  5. Configure the parameters. For descriptions of the policy-based forwarding values, see your Palo Alto Networks Administrator’s Guide.

Creating ArcSight CEF Formatted Syslog Events on Your Palo Alto PA Series Networks Firewall Device

You can configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to JSA.

  1. Log in to the Palo Alto Networks interface.
  2. Click the Device tab.
  3. Select Server Profiles >Syslog, and then click Add.
  4. Specify the Name and Location. Location refers to a virtual system if the device is enabled for virtual systems.
  5. On the Servers tab, click Add.
  6. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server:
    1. Name is Syslog server name.

    2. Syslog Server is the IP address for the Syslog server.

    3. The Transport/Port default is 514.

    4. The Faculty default is LOG_USER.

  7. To select any of the listed log types that define a custom format, based on the ArcSight CEF for that log type, complete the following steps:
    1. Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.

    2. Click OK twice to save your entries, then click Commit.

  8. To define your own CEF-style formats that use the event mapping table that is provided in the ArcSight document, Implementing ArcSight CEF, you can use the following information about defining CEF style formats:

    The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \=as the Escaped Characters and \as the Escape Character.

    The following list displays the CEF-style format that was used during the certification process for each log type. These custom formats include all of the fields, in a similar order, that the default format of the Syslogs display.

    Note

    Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.

    • Traffic--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type |1|rt=$cef-formatted-receive_time deviceExternalId =$serial src=$src dst=$dst sourceTranslatedAddress =$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser =$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface= $inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1= $bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived= $pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label =Elapsed time in seconds cn3=$elapsed cs2Label =URL Category cs2=$category externalId=$seqno

    • Threat--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type| $number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label= Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext= $contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest

    • Config--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef- formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno

    • System--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type| $number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid

    • HIP Match--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1| rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname cs2Label=Operating System cs2=$os

For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).

Sample Event Message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table provides a sample event message when using the Syslog protocol for the Palo Alto PA Series DSM:

Table 2: Palo Alto Endpoint Security Manager Sample Message

Event name

Low level category

Sample log message

Session Denied

Firewall Deny

<182>Sep 28 14:31:56 paloalto.paseries.test LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|7.1.4-h2 |deny|cat=TRAFFIC|ReceiveTime=2016/09/28 14:31:56|SerialNumber =0008C101475|Type=TRAFFIC|subtype=drop|devTime=Sep 28 2016 19: 31:56 GMT|src=192.0.2.1|dst=192.0.2.20|srcPostNAT=0.0.0.0|dstP ostNAT=0.0.0.0|RuleName=G_Deny CTFS-DB to MFWT|usrName=|Source User=|DestinationUser=|Application=not-applicable|VirtualSyste m=vsys73|SourceZone=AAAA|DestinationZone=BBBB|IngressInterface =ae2.3344|EgressInterface=|LogForwardingProfile=ACXM_STND_Log_ Forwarding|SessionID=0|RepeatCount=1|srcPort=1550|dstPort=11404 |srcPostNATPort=0|dstPostNATPort=0|Flags=0x0|proto=tcp|action= deny|totalBytes=64|dstBytes=0|srcBytes=64|totalPackets=1|Start Time=2016/09/28 15:11:12|ElapsedTime=0|URLCategory=any|sequence =4324246071|ActionFlags=0x8000000000000000|SourceLocation= 192.0.2.0-192.0.2.255|DestinationLocation=Canada|dstPackets =0|srcPackets=1|SessionEndReason=policy-deny|DeviceGroupHierarchy L1=1679|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|Device GroupHierarchyL4=0|vSrcName=|DeviceName=|ActionSource=