Palo Alto Networks Firewall via Radiant Agent

Configure Palo Alto Networks Firewall for syslog log forwarding to Radiant Security via Radiant Agent

In this guide, you will configure Palo Alto Networks Firewall to forward logs to your Radiant Agent via syslog using Radiant's custom log template.

Prerequisites

Add the data connector in Radiant Security

First, you’ll add the Palo Alto Networks Firewall data connector in Radiant Security to create a certificate that you’ll use to create the syslog server in Palo Alto.

  1. Log in to Radiant Security

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Radiant Agent option and then click Data Feeds.

  4. Under Select your data feeds, select the Palo Alto Firewall 9.1 data feed and then click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Radiant Agent Integration). If you already have a Radiant Agent in place, select it from the drop-down menu.

  6. Click Add Connector.

Configure the syslog server

  1. On the left navigation list, expand Server Profiles and click Syslog.

  1. At the bottom of the right pane, click Add.

  1. Under Syslog Server Profile, fill in the following details:

    • Name: RadiantSecurity

    Click Add to add a server, choose the configuration according to your setup:

    • Name: RadiantSecurity Agent

    • Syslog Server: <Radiant Security Agent local IP address>

    • Transport: TCP

    • Port: <Port Configured to Receive PAN Firewall Data> (ask your Customer Success rep. if unsure)

  1. Then, click the Custom Log Format tab.

  1. In the Log Type column, for each Log Type click on the name and paste the corresponding log format for that log type on the Config Log Format text box. The log formats can be found in this file for download.

  1. Click OK to save the configuration.

  2. Repeat steps 2-6 for all 14 Log Types.

  3. Once all 14 Log Types have been updated, click OK on the syslog configuration screen.

Configure log settings

  1. On the left navigation list, under Certificate Management, click Log Settings.

  1. In each box for System, Configuration, User-ID, HIP Match, GlobalProtect, and IP-Tag complete the following:

    • Click Add.

    • Under Log Settings - System, fill in the following details:

      • Name: Radiant Security

      • Filter: All Logs

      • Under Syslog, Click Add and select the Syslog Server Profile (RadiantSecurity) that you created in the previous section

    • Click OK to save and repeat step 2 for each firewall log: System, Configuration, User-ID, HIP Match, GlobalProtect, and IP-Tag.

Configure syslog log forwarding

Note: If log forwarding is already configured on your firewall, add the newly created Radiant Security syslog server to the existing log forwarding profile without removing any current settings. This ensures that syslog messages are sent to both destinations simultaneously.

  1. On the top navigation bar, click Objects.

  1. On the left navigation list, under Security Profiles, click Log Forwarding.

  1. At the bottom of the right pane, click Add. If log forwarding is already configured on your firewall, instead of adding a new profile, Edit the current one.

  1. Under Log Forwarding Profile, fill in the following details:

    • Name: Radiant Security Log Profile

  1. Then click Add to add a log forwarding profile match. In the Log Forwarding Profile Match List pane, for each Log Type fill in the following details.

  • Note that if the existing log forwarding profile doesn't have all the Log Types selected then follow the steps below to add them to the profile.

    • Name: Use the same name as the Log Type

    • Panorama: Enable this option if you use Panorama for log forwarding

    • Under Syslog, click Add and select the syslog profile (RadiantSecurity) that you created in the previous section

    • Click OK to save the configuration

  1. Once all Log Types are added, click OK to save on the Log Forwarding Profile pane.

  2. Now to assign the Log Forwarding profile to policy rules, navigate to Policies > Security. Complete the following steps for each rule that you want to trigger log forwarding to Radiant Security:

    • Edit the rule.

    • Select Actions and select the Radiant Security Log Forwarding profile.

    • For Traffic Logs, select Log at Session End.

    • For Threat Logs, select the security profile required to trigger log generation.

  3. Remember to commit the changes by clicking the Commit button in the upper right hand corner.

  1. Once the Commit Status progress is completed, the configured syslog formats will be used to send logs to Radiant Security.

PreviousPalo Alto Networks FirewallNextPalo Alto Networks Strata (syslog)

Last updated