Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Palo Alto Endpoint Security Manager

The JSA DSM for Palo Alto Endpoint Security Manager (Traps) collects events from a Palo Alto Endpoint Security Manager (Traps) device.

The following table describes the specifications for the Palo Alto Endpoint Security Manager DSM:

Table 1: Palo Alto Endpoint Security Manager DSM Specifications

Specification

Value

Manufacturer

Palo Alto Networks

DSM name

Palo Alto Endpoint Security Manager

RPM file name

DSM-PaloAltoEndpointSecurityManager- JSA_version-build_number .noarch.rpm

Supported versions

3.4.2.17401

Protocol

Syslog

Event format

Log Event Extended Format (LEEF)

Common Event Format (CEF). CEF:0 is supported.

Recorded event types

Agent

Config

Policy

System

Threat

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Palo Alto Networks website (https://www.paloaltonetworks.com)

To integrate Palo Alto Endpoint Security Manager with JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.

    • DSMCommon RPM

    • Palo Alto Endpoint Security Manager DSM RPM

  2. Configure your Palo Alto Endpoint Security Manager device to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Palo Alto Endpoint Security Manager log source on the JSA console. The following table describes the parameters that require specific values for Palo Alto Endpoint Security Manager event collection:

    Table 2: Palo Alto Endpoint Security Manager Log Source Parameters

    Parameter

    Value

    Log Source type

    Palo Alto Endpoint Security Manager

    Protocol Configuration

    Syslog

    Log Source Identifier

    A unique identifier for the log source.

  4. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

    The following table shows a sample event message for Palo Alto Endpoint Security Manager:

    Table 3: Palo Alto Endpoint Security Manager Sample Message

    Event name

    Low level category

    Sample log message

    New Hash Added

    Successful Configuration Modification

    LEEF:1.0|Palo Alto
    Networks|Traps ESM|3.4.2.17401|
    New Hash Added|cat=Policy
    subtype=New Hash
    Added devTimeFormat=
    MMM dd yyyy HH:mm:ss
    devTime=Nov 03 2016
    18:43:57 src=<Source_IP_address>
    shost=hostname suser= fileHash=
    xxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxx NewVerdict=Benign
    msg=New hash added sev=6

Configuring Palo Alto Endpoint Security Manager to Communicate with JSA

Before JSA can collect events from Palo Alto Endpoint Security Manager, you must configure Palo Alto Endpoint Security Manager to send events to JSA.

  1. Log in to the Endpoint Security Manager (ESM) Console.

  2. Click Settings >ESM.

  3. Click Syslog, and then select Enable Syslog.

  4. Configure the syslog parameters:

    Parameter

    Value

    Syslog Server

    Host name or IP address of the JSA server.

    Syslog Port

    514

    Syslog Protocol

    LEEF

    Keep-alive-timeout

    0

    Send reports interval

    Frequency (in minutes), in which Traps sends logs from the endpoint. The default is 10. The range is 1 - 2,147,483,647.

    Syslog Communication Protocol

    Transport layer protocol that the ESM Console uses to send syslog reports by using UDP, TCP, or TCP with SSL.

  5. In the Logging Events area, select the types of events that you want to send to JSA.

  6. Click Check Connectivity. The ESM Console sends a test communication to the syslog server by using the information on the Syslog page. If the test message is not received, verify that the settings are correct, and then try again.