# Palo Alto Networks Firewall via Radiant Agent In this guide, you will configure Palo Alto Networks Firewall to forward logs to your Radiant Agent via syslog using Radiant's custom log template. ### Prerequisites * [ ] Palo Alto: `Administrator` ### Add the data connector in Radiant Security First, you’ll add the Palo Alto Networks Firewall data connector in Radiant Security to create a certificate that you’ll use to create the syslog server in Palo Alto. 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/) 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Radiant Agent** option and then click **Data Feeds.** 4. Under S**elect your data feeds**, select the **Palo Alto Firewall 9.1** data feed and then click **Credentials.** 5. Under **Credential Name,** give the credential an identifiable name (e.g. `Radiant Agent Integration`). If you already have a Radiant Agent in place, select it from the drop-down menu. 6. Click **Add Connector.** ### Configure the syslog server 1. On the left navigation list, expand **Server Profiles** and click **Syslog.**

2. At the bottom of the right pane, click **Add.**

3. Under **Syslog** **Server** **Profile**, fill in the following details: * Name: `RadiantSecurity` Click **Add** to add a server, choose the configuration according to your setup: * **Name**: `RadiantSecurity Agent` * **Syslog Server**: `` * **Transport**: `TCP` * **Port**: `` (ask your Customer Success rep. if unsure)

4. Then, click the **Custom Log Format** tab.

5. In the **Log** **Type** column, for each **Log** **Type** click on the name and paste the corresponding log format for that log type on the **Config** **Log** Format text box. The log formats can be found in [this file for download](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FfNLNrMXXx8yUsLd0qCOi%2FRadiant%20Security%20PAN%20Custom%20Templates.zip?alt=media\&token=9d76878a-32ab-43ed-b084-15206ffb810a).

5. Click **OK** to save the configuration. 6. Repeat **steps 2-6** for all 14 **Log Types**. 7. Once all 14 Log Types have been updated, click **OK** on the syslog configuration screen. ### Configure log settings 1. On the left navigation list, under **Certificate** **Management**, click **Log Settings.**

2. In each box for **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag** complete the following: * Click **Add**. * Under **Log** **Settings - System**, fill in the following details: * **Name**: Radiant Security * **Filter**: All Logs * Under **Syslog**, Click **Add** and select the **Syslog Server Profile** (**RadiantSecurity**) that you created in the previous section * Click **OK** to save and repeat **step 2** for each firewall log: **System**, **Configuration**, **User-ID**, **HIP** **Match**, **GlobalProtect**, and **IP-Tag**.

### Configure syslog log forwarding {% hint style="info" %} **Note**: If log forwarding is already configured on your firewall, add the newly created Radiant Security syslog server to the existing log forwarding profile *without removing any current settings*. This ensures that syslog messages are sent to both destinations simultaneously. {% endhint %} 1. On the top navigation bar, click **Objects**.

2. On the left navigation list, under **Security Profiles**, click **Log Forwarding.**

3. At the bottom of the right pane, click **Add.** If log forwarding is already configured on your firewall, instead of adding a new profile, **Edit** the current one.

4. Under **Log** **Forwarding** **Profile**, fill in the following details: * **Name**: Radiant Security Log Profile

5. Then click **Add** to add a log forwarding profile match. In the **Log Forwarding Profile Match List** pane, for each **Log Type** fill in the following details.

* Note that if the existing log forwarding profile doesn't have all the **Log** **Types** selected then follow the steps below to add them to the profile. * **Name**: Use the same name as the **Log Type** * **Panorama**: Enable this option if you use Panorama for log forwarding * Under **Syslog**, click **Add** and select the syslog profile (**RadiantSecurity**) that you created in the previous section * Click **OK** to save the configuration 6. Once all Log Types are added, click **OK** to save on the **Log Forwarding Profile** pane. 7. Now to assign the **Log** **Forwarding** **profile** to policy rules, navigate to **Policies** > **Security**. Complete the following steps for each rule that you want to trigger log forwarding to Radiant Security: * Edit the rule. * Select **Actions** and select the **Radiant Security Log Forwarding** profile. * For **Traffic Logs**, select **Log at Session End**. * For **Threat Logs**, select the security profile required to trigger log generation. 8. Remember to commit the changes by clicking the **Commit** button in the upper right hand corner.

9. Once the **Commit Status** progress is completed, the configured syslog formats will be used to send logs to Radiant Security.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/palo-alto-networks-firewall-via-radiant-agent.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.