Version:

Palo Alto Network Firewall

Palo Alto Network Firewall enables you to monitor and identify threats in your organization using Palo Alto Network Firewall data. It includes the Syslog Collector based PaloAlto log source template, which ensures consistency in collecting, processing and analyzing Palo Alto Network Firewall logs for precise security event analysis and reporting.

Logpoint aggregates and normalizes logs from Palo Alto Networks firewall devices, enabling analysis through dashboards and security reports. Palo Alto Networks Firewall dashboards visualize events, including traffic, threats, users, content, system activity, and firewall configuration changes.

Logpoint triggers security alerts based on predetermined alert rules when identifying the Palo Alto Network Firewall events. The automated alerts enable you to detect possible issues early and take corrective actions against them. You can further customize the data and searches to perform in-depth analysis.

Configure Palo Alto Network Firewall from Log Source Template or Devices. We recommend using log source template.

Supported Devices/Sources

Important

For Palo Alto Networks logs, we recommend using the CEF (Common Event Format) instead of CSV. CEF provides more consistent field mapping, improved parsing reliability, and better overall performance within SIEM.

  • CEF logs of all versions of PAN-OS (Recommended for consistent normalization of PAN-OS logs)

  • Palo Alto Next-Generation Firewalls

  • Palo Alto Networks Panorama

Palo Alto Network Firewall Components

  1. Dashboard Packages

    • LP_PaloAlto: User Activities

    • LP_PaloAlto: File Activities

    • LP_PaloAlto: Firewall

    • LP_PaloAlto: Config Overview

    • LP_PaloAlto: General

    • LP_PaloAlto: Content Overview

    • LP_PaloAlto: Threats

    • LP_PaloAlto: Traffic

    • LP_PaloAlto: System Overview

  2. Report Packages

    • LP_PaloAlto: Firewall

    • LP_PaloAlto: Config Overview

    • LP_PaloAlto: General

    • LP_PaloAlto: Content Overview

    • LP_PaloAlto: Threats

    • LP_PaloAlto: Traffic

    • LP_PaloAlto: System Overview

  3. Label Package

    • LP_PaloAltoNetworkFirewall

  4. Compiled Normalizers

    • PaloAltoCEFCompiledNormalizer

    • PaloAltoNetworkFirewallCompiledNormalizer

  5. Normalization Packages

    • LP_PaloAlto Cortex Data Lake

    • LP_Palo Alto Global Protect

  6. Alert Packages

    • LP_PaloAlto Potential Risk Activity

    • LP_PaloAlto HTTP Request Block

    • LP_PaloAlto Bypass Content Filter

    • LP_PaloAlto Brute Force Attempts

    • LP_PaloAlto Session Drop

    • LP_PaloAlto Illegal Content Download

    • LP_PaloAlto Cortex Risk Events Unrestricted

    • LP_PaloAlto Multiple Failed Login

    • LP_PaloAlto Cortex Risk Events Terminated

    • LP_PaloAlto Brute Force on Block Override

    • LP_PaloAlto Potential C2 Connection

    • LP_PaloAlto Log Deletion

    • LP_PaloAlto Flooding Packet Drop

    • LP_PaloAlto Risk Events Allowed

    • LP_PaloAlto DNS SinkHole Activate

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support