Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Palo Alto Networks PA Series

 

Use the JSA DSM for Palo Alto PA Series to collect events from Palo Alto PA Series devices.

To send events from Palo Alto PA Series to JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent version of the Palo Alto PA Series DSM RPM from the https://support.juniper.net/support/.

  2. Configure your Palo Alto PA Series device to communicate with JSA. You must create a Syslog destination and forwarding policy on the Palo Alto PA Series device.

  3. If JSA does not automatically detect the Palo Alto PA Series as a log source, create a Palo Alto PA Series log source on the JSA Console. Use the following Palo Alto values to configure the log source parameters:

    Table 1: Palo Alto PA Series Log Source Parameters

    Parameter

    Description

    Log Source Identifier

    The IP address or host name of the Palo Alto PA Series device.

    Log Source Type

    Palo Alto PA Series

    Protocol Configuration

    Syslog

Palo Alto PA DSM Specifications

The following table identifies the specifications for the Palo Alto PA Series DSM:

Table 2: DSM Specifications for Palo Alto PA Series

Specification

Value

Manufacturer

Palo Alto Networks

DSM name

Palo Alto PA Series

RPM file name

DSM-PaloAltoPaSeries-JSA_version-build_number.noarch.rpm

Supported versions

PAN-OS v3.0 to v9.1

Event format

LEEF for PAN-OS v3.0 to v9.1

CEF for PAN-OS v4.0 to v6.1

JSA recorded log types

Traffic

Threat

Config

System

HIP Match

Data

WildFire

Authentication

Tunnel Inspection

Correlation

URL Filtering

User-ID

SCTP

IP-Tag

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

Palo Alto Networks website (http://www.paloaltonetworks.com)

Creating a Syslog Destination on Your Palo Alto PA Series Device

To send Palo Alto PA Series events to JSA, create a Syslog destination (Syslog or LEEF event format) on the Palo Alto PA Series device.

Note

Palo Alto can send only one format to all Syslog devices. By modifying the Syslog format, any other device that requires Syslog must support that same format.

  1. Log in to the Palo Alto Networks interface.
  2. On the Device tab, click Server Profiles > Syslog, and then click Add.
  3. Create a Syslog destination by following these steps:
    1. In the Syslog Server Profile dialog box, click Add.

    2. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server.

    3. If you are using Syslog, set the Custom Format column to Default for all log types.

  4. Configure LEEF events by following these steps: Note

    Due to formatting issues, copy the text into a text editor, remove any carriage return or line feed characters, and then paste it into the appropriate field.

    1. Click the Config Log Format tab in the Syslog Server Profile dialogue.

    2. Click Config, copy the following text and paste it in the Config Log Format column for the Config log type.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$result|cat=$type|usrName =$admin|src=$host|devTime=$cef-formatted-receive_time|client=$client|sequence= $seqno|serial=$serial|msg=$cmd

      • PAN-OS v7.1 - v9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version |$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef -formatted-receive_time|src=$host|VirtualSystem=$vsys|msg=$cmd|usrName=$admin| client=$client|Result=$result|ConfigurationPath=$path|sequence=$seqno|ActionFlags =$actionflags|BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after- change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_ hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_ hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

    3. Click System, copy one of the following texts applicable to the version you are using and paste it in the System Log Format field for the System log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$eventid |cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|sev=$severity| Severity=$number-of-severity|msg=$opaque|Filename=$object

      • PAN-OS v7.1 - v9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version |$eventid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype |devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|Filename=$object|Module= $module|sev=$number-of-severity|Severity=$severity|msg=$opaque|sequence=$seqno| ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2 =$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_ hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

    4. Click Threat, copy one of the following texts applicable to the version you are using, paste it in the Threat Log Format filed for the Threat log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$threatid|cat=$type |Subtype=$subtype|src=$src|dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto |usrName=$srcuser|SerialNumber=$serial|srcPostNAT=$natsrc|dstPostNAT=$natdst |RuleName=$rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app |VirtualSystem=$vsys|SourceZone=$fromDestinationZone=$to|IngressInterface=$inbound_if |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid |RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport |Flags=$flags|URLCategory=$category|sev=$severity|Severity=$number-of-severity |Direction=$direction|ContentType=$contenttype|action=$action|Miscellaneous=$misc

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$threatid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type |Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT =$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort =$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags= $flags|proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid| URLCategory=$category|sev=$number-of-severity|Severity=$severity|Direction=$ direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc |DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest =$filedigest|Cloud=$cloud|URLIndex=$url_idx|UserAgent=$user_agent|FileType= $filetype|identSrc=$xff|Referer=$referer|Sender=$sender|Subject=$subject|Recipient =$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted

        -receive_ time|src=$src|

        dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|

        usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|

        Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|

        EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|

        RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|

        srcPostNATPort=$natsport|dstPostNATPort=$natdport|

        Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=

        $threatid|URLCategory=$category

        |sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|

        ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype

        |PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|

        Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver

    5. Click Traffic, copy one of the following texts applicable to the version you are using and paste it in the Traffic Log Format field for the Traffic log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$action|cat=$type|src=$src |dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto|usrName=$srcuser| SerialNumber= $serial|Type=$type|Subtype=$subtype|srcPostNAT=$natsrc|

        dstPostNAT=$natdst|RuleName= $rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app| VirtualSystem= $vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid| RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags |totalBytes=$bytes|totalPackets=$packets|ElapsedTime=$elapsed|URLCategory=$category |dstBytes=$bytes_received|srcBytes=$bytes_sent|action=$action

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$action|cat=$type|ReceiveTime=$receive_time|SerialNumber=$serial|Type= $type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser= $srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone =$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound _if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt| srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport| Flags=$flags|proto=$proto|action=$action|totalBytes=$bytes|dstBytes=$bytes_received |srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start|ElapsedTime=$elapsed| URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags|SourceLocation= $srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_ sent|SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1 |DeviceGroupHierarchyL2=$dg_hier_level_2|

        DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|

        vSrcName=$vsys_name|DeviceName=$device_name| ActionSource=$action_source

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|cat=$type| ReceiveTime=$receive_time|SerialNumber=$serial|Type=$type

        |Subtype=$subtype|dev

        Time=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc

        |dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|

        SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|

        VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to

        |IngressInterface=$inbound_if|EgressInterface=$outbound_if|

        LogForwardingProfile=$logset|SessionID=$sessionid

        |RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|

        srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|

        action=$action| totalBytes=$bytes|dstBytes

        =$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets|

        StartTime=$start| ElapsedTime=$elapsed|URLCategory=$category|

        sequence=$seqno|ActionFlags=$actionflags| SourceLocation=$srcloc|

        DestinationLocation=$dstloc|dstPackets=$pkts_received

        |srcPackets=$pkts_sent| SessionEndReason=$session_end_reason

        |DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2

        |DeviceGroupHierarchyL3=$dg_hier_level_3|

        DeviceGroupHierarchyL4=$dg_hier_level_4|

        vSrcName=$vsys_name|DeviceName=$device_name| ActionSource=$action_source|SrcUUID=$src_uuid

        |DstUUID=$dst_uuid

        |TunnelID=$tunnelid| MonitorTag=$monitortag|ParentSessionID

        =$parent_session_id|ParentStartTime

        =$parent_start_time| TunnelType=$tunnel

    6. If you are using versions other than PAN-OS 3.0 - 6.1, click HIP Match, copy one of the following texts applicable to the version you are using, and paste it in the HIP Match Log Format field for the HIP Match log type.

      • PAN-OS v7.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender _sw_version|$matchname|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type |Subtype=$subtype|devTime=$cef-formatted-receive_time|

        usrName=$srcuser| VirtualSystem=$vsys|identHostName=$machinename|

        OS=$os|identSrc=$src|HIP=$matchname |RepeatCount=$repeatcnt

        |HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags |DeviceGroupHierarchyL1=$dg_hier_level_1

        |DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3

        |DeviceGroupHierarchyL4=$dg_hier_level_4|

        vSrcName=$vsys_name|DeviceName=$device_name

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$matchname|

        ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_

        time|usrName=$srcuser|VirtualSystem=$vsys|

        identHostName=$machinename|OS=$os|identsrc=$src|

        HIP=$matchname|RepeatCount=$repeatcnt|HIPType=$matchtype

        |sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1

        |DeviceGroupHierarchyL2=$dg_hier_level_2|

        DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|

        vSrcName=$vsys_name|DeviceName=$device_name

        |VirtualSystemID=$vsys_id|srcipv6=$srcipv6|

        startTime=$cef-formatted-time_generated

    7. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the URL Filtering log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|

        ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|

        srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule

        |usrName=$srcuser| SourceUser=$srcuser

        |DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|

        SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|

        EgressInterface=$outbound_if| LogForwardingProfile=$logset|

        SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|

        srcPostNATPort=$natsport|dstPostNATPort=$natdport|

        Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|

        ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|

        Severity=$severity| Direction=$direction|sequence=$seqno|

        ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|

        ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|

        Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|

        UserAgent=$user_agent|identSrc=$xff| Referer=$referer|Subject=$subject|

        DeviceGroupHierarchyL1=$dg_hier_level_1|

        DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|

        DeviceGroupHierarchyL4=$dg_hier_level_4

        |vSrcName=$vsys_name|DeviceName=$device_name| SrcUUID=$src_uuid|

        DstUUID=$dst_uuid|TunnelID=$tunnelid|MonitorTag=$monitortag|

        ParentSessionID=$parent_session_id

        |ParentStartTime=$parent_start_time|TunnelType=$tunnel|

        ThreatCategory=$thr_category|ContentVer=$contentver

    8. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Data log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|

        ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-

        formatted-receive_ time|src=$src|dst=$dst|

        srcPostNAT=$natsrc|dstPostNAT=$natdst

        |RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser

        |DestinationUser=$dstuser|

        Application=$app|VirtualSystem=$vsys|SourceZone=$from|

        DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|

        LogForwardingProfile=$logset|SessionID=$sessionid|

        RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|

        Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc

        |ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity

        |Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags

        |SourceLocation=$srcloc| DestinationLocation=$dstloc|

        ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|

        Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|

        Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|

        DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|

        DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|

        SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag

        |ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|

        TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver

    9. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Wildfire log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype

        |devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst

        |RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser

        |Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=

        $inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid

        |RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags

        |proto=$proto|action=$action|

        Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|

        sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=

        $actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype

        |PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method

        |FileType=$filetype|Sender=$sender| Subject=$subject|

        Recipient=$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3

        =$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4

        |vSrcName=$vsys_name|DeviceName=$device_name| SrcUUID=$src_uuid|DstUUID=$dst_uuid|

        TunnelID=$tunnelid|MonitorTag=$monitortag|

        ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|

        TunnelType=$tunnel|

        ThreatCategory=$thr_category|ContentVer=$contentver

    10. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Authentication log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$event| ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|ServerProfile=$serverprofile|

        LogForwardingProfile=$logset|VirtualSystem=$vsys|

        AuthPolicy=$authpolicy|ClientType=$clienttype|NormalizeUser=$normalize_user|ObjectName=$object| FactorNumber=$factorno|AuthenticationID=$authid|src=$ip|RepeatCount=$repeatcnt|usrName=$user| Vendor=$vendor|msg=$event|sequence=$seqno|DeviceGroupHierarchyL1=$dg_hier_level_1|

        DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|

        DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName

        =$device_name| AdditionalAuthInfo=$desc|ActionFlags=$actionflags

    11. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the User-ID log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$subtype|

        ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|

        FactorType=$factortype|

        VirtualSystem=$vsys|DataSourceName=$datasourcename| DataSource=$datasource|DataSourceType=$datasourcetype|

        FactorNumber=$factorno|VirtualSystemID=$vsys_id| TimeoutThreshold=$timeout|src=$ip|srcPort=$beginport

        |dstPort=$endport|RepeatCount=$repeatcnt|

        usrName=$user|sequence=$seqno|EventID=$eventid|

        FactorCompletionTime=$factorcompletiontime| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|ActionFlags=$actionflags

    12. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Tunnel Inspection log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action| ReceiveTime=$receive_time|SerialNumber=$serial|

        cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|

        src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|

        RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|

        Application=$app|VirtualSystem=$vsys|SourceZone=$from|

        DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|

        LogForwardingProfile=$logset|SessionID=$sessionid|

        RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport

        |dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|

        sequence=$seqno|ActionFlags=$actionflags

        |DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2

        |DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|

        DeviceName=$device_name| TunnelID=$tunnelid|

        MonitorTag=$monitortag|ParentSessionID

        =$parent_session_id|

        ParentStartTime=$parent_start_time|

        TunnelType=$tunnel|totalBytes=$bytes|dstBytes=$bytes_received

        | srcBytes=$bytes_sent|totalPackets=$packets|

        dstPackets=$pkts_received|srcPackets=$pkts_sent| MaximumEncapsulation=$max_encap|

        UnknownProtocol=$unknown_proto|StrictChecking=$strict_check|

        TunnelFragment=$tunnel_fragment|SessionsCreated=$sessions_created

        |SessionsClosed=$sessions_closed|

        SessionEndReason=$session_end_reason|ActionSource=$action_source

        |startTime=$start|ElapsedTime=$elapsed

    13. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Correlation log type.

      • PAN-OS v8.0 - 9.1--

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|8.0|$category|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time

        |startTime=$cef-formatted-time_ generated

        |Severity=$severity|VirtualSystem=$vsys|VirtualSystemID=$vsys_id|src=$src| SourceUser=$srcuser|msg=$evidence|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|

        vSrcName=$vsys_name|DeviceName=$device_name

        | ObjectName=$object_name|ObjectID=$object_id

    14. If you are using PAN-OS 8.1 - 9.1, copy the following text, and paste it in the Custom Format column for the SCTP log type.

      • PAN-OS v8.1 - 9.1

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration| $sender_sw_version |$action|ReceiveTime=$receive_time|SerialNumber

        =$serial| cat=$type|genTime=$time_ generated|src=$src|dst=$dst|VirtualSystem=$vsys| SourceZone=$from|DestinationZone =$to|IngressInterface=$inbound_if|EgressInterface= $outbound_if|SessionID=$sessio nid|RepeatCount=$repeatcnt|srcPort

        =$sport|dstPort= $dport|proto=$proto|action=$ac tion|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_lev el_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_lev el_4|vsysName=$vsys_name|DeviceName

        =$device_name| sequence=$seqno|AssocID=$assoc_ id|PayloadProtoID=$ppid|sev=$num_of_severity| SCTPChunkType=$sctp_chunk_type|SCTP VerTag1=$verif_tag_1|SCTPVerTag2=$verif_tag_2| SCTPCauseCode=$sctp_cause_code|Dia mAppID=$diam_app_id|DiamCmdCode=$diam_cmd_code| DiamAVPCode=$diam_avp_code|SCTPSt reamID=$stream_id|SCTPAssEndReason

        =$assoc_end_reason| OpCode=$op_code|CPSSN=$sccp _calling_ssn|CPGlobalTitle=$sccp_calling_gt|SCTPFilter= $sctp_filter|SCTPChunks=$ chunks|SrcSCTPChunks=$chunks_

        sent|DstSCTPChunks= $chunks_received|Packets=$packet s|srcPackets=$pkts_sent|dstPackets=$pkts_received

    15. If you are using PAN-OS 9.x, copy the following text, and paste it in the Custom Format column for the IPTag log type.

      • PAN-OS v8.1 - 9.1

        LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration| $sender_sw_version|

        $event_id|cat= $type|devTime=$cef-formatted-receive_time|ReceiveTime=$receive_time| SerialNumber =$serial|Subtype=$subtype|Generate

        Time=$time_generated|VirtualSystem= $vsys|src=$ ip|TagName=$tag_name|EventID=$eventid|RepeatCount=$repeatcnt| TimeoutThreshold=$t imeout|DataSourceName=

        $datasourcename|DataSource=$datasource_type| DataSourceType =$datasource_subtype|

        sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarc hyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=

        $dg_hier_level_2| DeviceGroupHierarc hyL3=$dg_hier_level_3|

        DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName= $vsys_nam e|DeviceName=$device_name|VirtualSystemID=$vsys_id

  5. Click OK.
  6. To specify the severity of events that are contained in the Syslog messages, click Log Setting.
    1. For each severity that you want to include in the Syslog message, click the Severity name and select the Syslog destination from the Syslog menu.

    2. Click OK.

  7. Click Commit.

To allow communication between your Palo Alto Networks device and JSA, create a forwarding policy. See Creating a forwarding policy on your Palo Alto PA Series device.

Creating a Forwarding Policy on Your Palo Alto PA Series Device

If your JSA Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.

  1. Log in to Palo Alto Networks.
  2. On the dashboard, click the Policies tab.
  3. Click Policies > Policy Based Forwarding.
  4. Click Add.
  5. Configure the parameters. For descriptions of the policy-based forwarding values, see your Palo Alto Networks Administrator’s Guide.

Creating ArcSight CEF Formatted Syslog Events on Your Palo Alto PA Series Networks Firewall Device

Configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to JSA.

  1. Log in to the Palo Alto Networks interface.
  2. Click the Device tab.
  3. Select Server Profiles >Syslog, and then click Add.
  4. On the Servers tab, click Add.
  5. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a Syslog server:
    1. The Name is the Syslog server name.

    2. The Syslog Server is the IP address for the Syslog server.

    3. The Transport/Port default is 514.

    4. The Faculty default is LOG_USER.

  6. To select any of the listed log types that define a custom format, based on the ArcSight CEF for that log type, complete the following steps:
    1. Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.

    2. Click OK twice to save your entries, then click Commit.

  7. To define your own CEF-style formats that use the event mapping table that is provided in the ArcSight document, Implementing ArcSight CEF, you can use the following information about defining CEF style formats:

    The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \=as the Escaped Characters and \as the Escape Character.

    The following list displays the CEF-style format that was used during the certification process for each log type. These custom formats include all of the fields, in a similar order, that the default format of the Syslogs display.

    Note

    Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.

    • Traffic--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type |1|rt=$cef-formatted-receive_time deviceExternalId =$serial src=$src dst=$dst sourceTranslatedAddress =$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser =$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface= $inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1= $bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived= $pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label =Elapsed time in seconds cn3=$elapsed cs2Label =URL Category cs2=$category externalId=$seqno

    • Threat--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type| $number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label= Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext= $contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest

    • Config--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef- formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno

    • System--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type| $number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid

    • HIP Match--

      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1| rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname cs2Label=Operating System cs2=$os

For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).

Sample Event Message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table provides a sample event message when using the Syslog protocol for the Palo Alto PA Series DSM:

Table 3: Palo Alto Endpoint Security Manager Sample Message

Event name

Low level category

Sample log message

Session Denied

Firewall Deny

<182>Sep 28 14:31:56 paloalto.paseries.test LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|7.1.4-h2 |deny|cat=TRAFFIC|ReceiveTime=2016/09/28 14:31:56|SerialNumber =0008C101475|Type=TRAFFIC|subtype=drop|devTime=Sep 28 2016 19: 31:56 GMT|src=192.0.2.1|dst=192.0.2.20|srcPostNAT=0.0.0.0|dstP ostNAT=0.0.0.0|RuleName=G_Deny CTFS-DB to MFWT|usrName=|Source User=

|DestinationUser=|Application=not-

applicable|VirtualSyste m

=vsys73|SourceZone=AAAA|Destination

Zone=BBBB|IngressInterface

=ae2.3344|

EgressInterface=|LogForwardingProfile=ACXM_STND

_Log_ Forwarding|SessionID=0|RepeatCount=1|srcPort=1550|dstPort=

11404 |srcPostNATPort=0|dstPostNATPort=0|

Flags=0x0|proto=tcp|action= deny|totalBytes=64|dstBytes=0|srcBytes=64|

totalPackets=1|Start Time=2016/09/28 15:11:12

|ElapsedTime=0|URLCategory=any|sequence

=4324246071|

ActionFlags=0x8000000000000000|SourceLocation= 192.0.2.0-192.0.2.255|

DestinationLocation=Canada|dstPackets =0|srcPackets=1

|SessionEndReason=policy-deny|DeviceGroupHierarchy L1=1679|

DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|

Device GroupHierarchyL4=0|vSrcName=|DeviceName=|ActionSource=