# Palo Alto Networks Firewall In this guide, you will create custom log formats for Palo Alto’s syslog log configuration. This is required in order to send Palo Alto logs to Radiant Security without the use of an intermediary syslog relay server. These custom log formats will be provided by Radiant Security and are specific to your configuration. {% hint style="warning" %} If you will be forwarding Palo Alto Networks logs to Radiant using a **Radiant Agent**, please refer to [this other article](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/palo-alto-networks-firewall-via-radiant-agent) instead. {% endhint %} ### Prerequisites * [ ] Palo Alto: `Administrator` ### Add the data connector in Radiant Security First, you’ll add the Palo Alto Networks Firewall data connector in Radiant Security to create a certificate that you’ll use to create the syslog server in Palo Alto. 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/) 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Palo Alto Networks Firewall** option and then click **Data Feeds.** 4. Under S**elect your data feeds**, select the **Palo Alto Firewall 9.1** data feed and then click **Credentials.** 5. Under **Credential Name,** give the credential an identifiable name (e.g. `PAN Credentials`). If you already have a credential in place, select it from the drop-down menu. 6. Enter a value for **Connector** **tag** (optional.) 7. Click **Add Connector.** 8. Download the **SSL Certificate** and **Custom Log** files, as they will be used in upcoming sections. 9. Click **Done** to save your changes. ### Upload the certificate 1. Login to your Palo Alto firewall. 2. On the top navigation bar, click **Device.**

3. On the left navigation list, expand **Certificate Management** and click **Certificates.**

4. At the bottom of the right pane, click **Import**.

5. Under **Import** **Certificate**, fill in the following details: * **Certificate Name**: `Radiant Security Syslog CA` * **Certificate File**: Upload the certificate file that you created and saved in the previous section * **File Format**: Base64 Encoded Certificate (PEM)

6. Click **OK** to save the CA certificate. ### Configure the syslog server 1. On the left navigation list, expand **Server Profiles** and click **Syslog.**

2. At the bottom of the right pane, click **Add.**

3. Under **Syslog** **Server** **Profile**, fill in the following details: * Name: `RadiantSecurity` Click **Add** to add a server and populate with the following values: * **Name**: `Primary` * **Syslog Server**: `cluster.syslog.radiantsecurity.ai` * **Transport**: `SSL` * **Port**: `6514`

4. Then, click the **Custom Log Format** tab.

5. In the **Log** **Type** column, for each **Log** **Type** click on the name and paste the corresponding log format for that log type on the **Config** **Log** Format text box. The log formats can be found in the **Custom** **Log** file that you created during the data connector setup.

5. Click **OK** to save the configuration. 6. Repeat **steps 2-6** for all 14 **Log Types**. 7. Once all 14 Log Types have been updated, click **OK** on the syslog configuration screen. ### Configure log settings 1. On the left navigation list, under **Certificate** **Management**, click **Log Settings.**

2. In each box for **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag** complete the following: * Click **Add**. * Under **Log** **Settings - System**, fill in the following details: * **Name**: Radiant Security * **Filter**: All Logs * Under **Syslog**, Click **Add** and select the **Syslog Server Profile** (**RadiantSecurity**) that you created in the previous section * Click **OK** to save and repeat **step 2** for each firewall log: **System**, **Configuration**, **User-ID**, **HIP** **Match**, **GlobalProtect**, and **IP-Tag**.

### Configure syslog log forwarding {% hint style="info" %} **Note**: If log forwarding is already configured on your firewall, add the newly created Radiant Security syslog server to the existing log forwarding profile *without removing any current settings*. This ensures that syslog messages are sent to both destinations simultaneously. {% endhint %} 1. On the top navigation bar, click **Objects**.

2. On the left navigation list, under **Security Profiles**, click **Log Forwarding.**

3. At the bottom of the right pane, click **Add.** If log forwarding is already configured on your firewall, instead of adding a new profile, **Edit** the current one.

4. Under **Log** **Forwarding** **Profile**, fill in the following details: * **Name**: Radiant Security Log Profile

5. Then click **Add** to add a log forwarding profile match. In the **Log Forwarding Profile Match List** pane, for each **Log Type** fill in the following details.

* Note that if the existing log forwarding profile doesn't have all the **Log** **Types** selected then follow the steps below to add them to the profile. * **Name**: Use the same name as the **Log Type** * **Panorama**: Enable this option if you use Panorama for log forwarding * Under **Syslog**, click **Add** and select the syslog profile (**RadiantSecurity**) that you created in the previous section * Click **OK** to save the configuration 6. Once all Log Types are added, click **OK** to save on the **Log Forwarding Profile** pane. 7. Now to assign the **Log** **Forwarding** **profile** to policy rules, navigate to **Policies** > **Security**. Complete the following steps for each rule that you want to trigger log forwarding to Radiant Security: * Edit the rule. * Select **Actions** and select the **Radiant Security Log Forwarding** profile. * For **Traffic Logs**, select **Log at Session End**. * For **Threat Logs**, select the security profile required to trigger log generation. 8. Remember to commit the changes by clicking the **Commit** button in the upper right hand corner.

9. Once the **Commit Status** progress is completed, the configured syslog formats will be used to send logs to Radiant Security.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/palo-alto-networks-firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.