Version:

Configuring Palo Alto Network Firewall

Log sources for Palo Alto Network Firewall can be configured using Log Source Template or Devices. Log Source Template is recommended to minimize setup requirements and eliminate normalization issues.

Using Log Source Template

You must create a log source using the log source template to receive the normalized Palo Alto Network Firewall logs. Go to Creating Log Source via a Template to learn more.

_images/PaloAltolst.png

Selecting PaloAlto Log Source Template

Using Devices

Configuring a Repo for Palo Alto Network Firewall

  1. Go to Settings >> Configuration from the navigation bar and click Repos.

  2. Click Add.

  3. Enter a Repo Name.

  4. Select a Repo Path to store incoming logs.

  5. Set a Retention Day to keep logs in a repository before they are automatically deleted.

Note

You can add and remove multiple Repo Path and Retention Day.

  1. Select a Remote LogPoint and set a Available for (day).

  2. Click Submit.

_images/addrepo.png

Adding a Repo

Adding a Normalization Policy for Palo Alto Network Firewall

  1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select the Compiled Normalizer and Normalization Packages for Palo Alto Network Firewall.

  5. Click Submit.

_images/norm1.png

Adding a Normalization Policy

Configuring a Processing Policy for Palo Alto Network Firewall

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add .

  3. Enter a Policy Name.

  4. Select the previously created Normalization Policy.

  5. Select the Enrichment Policy.

  6. Select the Routing Policy.

  7. Click Submit.

_images/processingpolicy.png

Adding a Processing Policy

Adding Palo Alto Network Firewall as a Device in Logpoint

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add.

  3. Enter a device Name.

  4. Enter the Palo Alto Network Firewall server IP address(es).

  5. Select the Device Groups.

  6. Select an appropriate Log Collection Policy for the logs.

  7. Select a collector or a forwarder from the Distributed Collector drop-down.

Note

It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

  1. Select a Time Zone. The timezone of the device must be same as its log source.

  2. Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

  3. Click Submit.

Create Device Panel

Creating Palo Alto Network Firewall as a device

Configuring the Syslog Collector for Palo Alto Network Firewall

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add icon from Actions of the previously added device.

  3. Click Syslog Collector.

Note

You can select a different collector depending on your requirements and added device. To learn more about available collectors go to collectors. If you require assistance, contact our support team.

  1. Select Syslog Parser as Parser.

  2. Select the previously created Processing Policy.

  3. Select the Charset.

  4. In Proxy Server, select None

  5. Click Submit.

Available Collectors Fetchers

Available Collectors Fetchers

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support