Palo Alto Endpoint Security Manager
The JSA DSM for Palo Alto Endpoint Security Manager (Traps) collects events from a Palo Alto Endpoint Security Manager (Traps) device.
The following table describes the specifications for the Palo Alto Endpoint Security Manager DSM:
Specification |
Value |
---|---|
Manufacturer |
Palo Alto Networks |
DSM name |
Palo Alto Endpoint Security Manager |
RPM file name |
DSM-PaloAltoEndpointSecurityManager- JSA_version-build_number .noarch.rpm |
Supported versions |
3.4.2.17401 |
Protocol |
Syslog |
Event format |
Log Event Extended Format (LEEF) Common Event Format (CEF). CEF:0 is supported. |
Recorded event types |
Agent Config Policy System Threat |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Palo Alto Networks website (https://www.paloaltonetworks.com) |
To integrate Palo Alto Endpoint Security Manager with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.
-
DSMCommon RPM
-
Palo Alto Endpoint Security Manager DSM RPM
-
Configure your Palo Alto Endpoint Security Manager device to send syslog events to JSA.
If JSA does not automatically detect the log source, add a Palo Alto Endpoint Security Manager log source on the JSA console. The following table describes the parameters that require specific values for Palo Alto Endpoint Security Manager event collection:
Table 2: Palo Alto Endpoint Security Manager Log Source Parameters Parameter
Value
Log Source type
Palo Alto Endpoint Security Manager
Protocol Configuration
Syslog
Log Source Identifier
A unique identifier for the log source.
To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.
The following table shows a sample event message for Palo Alto Endpoint Security Manager:
Table 3: Palo Alto Endpoint Security Manager Sample Message Event name
Low level category
Sample log message
New Hash Added
Successful Configuration Modification
LEEF:1.0|Palo Alto Networks|Traps ESM|3.4.2.17401| New Hash Added|cat=Policy subtype=New Hash Added devTimeFormat= MMM dd yyyy HH:mm:ss devTime=Nov 03 2016 18:43:57 src=<Source_IP_address> shost=hostname suser= fileHash= xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxx NewVerdict=Benign msg=New hash added sev=6
Configuring Palo Alto Endpoint Security Manager to Communicate with JSA
Before JSA can collect events from Palo Alto Endpoint Security Manager, you must configure Palo Alto Endpoint Security Manager to send events to JSA.
Log in to the Endpoint Security Manager (ESM) Console.
Click Settings >ESM.
Click Syslog, and then select Enable Syslog.
Configure the syslog parameters:
Parameter
Value
Syslog Server
Host name or IP address of the JSA server.
Syslog Port
514
Syslog Protocol
LEEF
Keep-alive-timeout
0
Send reports interval
Frequency (in minutes), in which Traps sends logs from the endpoint. The default is 10. The range is 1 - 2,147,483,647.
Syslog Communication Protocol
Transport layer protocol that the ESM Console uses to send syslog reports by using UDP, TCP, or TCP with SSL.
In the Logging Events area, select the types of events that you want to send to JSA.
Click Check Connectivity. The ESM Console sends a test communication to the syslog server by using the information on the Syslog page. If the test message is not received, verify that the settings are correct, and then try again.