Palo Alto Panorama (syslog)

Configure Palo Alto Network custom log formats for syslog log forwarding to Radiant Security.

In this guide, you will set up Panorama to forward Palo Alto Firewall events to Radiant Security through TLS Syslog.

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and click + Add Connector.
Search for and select the Palo Alto Networks Firewall option and then click Data Feeds.
Under Select your data feeds, select the Palo Alto 9.1 Firewall data feed and then click Credentials.
Under Credential Name, give the credential an identifiable name (e.g. PAN Credentials). If you already have a credential in place, select it from the drop-down menu. Click Credentials.
In the Connector tag field, enter a random value. This value will act as the salt to randomize the unique Token you’ll download in the next step.
Click Add Connector.
Save the Token value or use the Download Files option to save it as a SSL certificate or token file. This token will be used in the next section.
Click Done to save your changes.

Login to your Panorama and navigate to Panorama > Certificate Management > Certificates
Click Import
Under Import Certificate, fill in the following details:
- Certificate Name: Radiant Security Syslog CA
- Certificate File: Upload the certificate file that you created and saved in the previous section
- File Format: Base64 Encoded Certificate (PEM)
Click OK to save the CA certificate.

Navigate to Panorama > Server Profiles > Syslog and click Add.
Under Syslog Server Profile, for Name enter Radiant Security and fill in the following details:
- Syslog Server: cluster.syslog.radiantsecurity.ai
- Transport: SSL
- Port: 6514
- Format: BSD
- Facility: LOG_USER
Then, click the Custom Log Format tab.
In the Log Type column, for each Log Type click on the name and paste the corresponding log format for that log type on the Config Log Format text box. The log formats can be found Custom Log file that you created during the data connector setup.
Click OK to save the configuration.
Repeat steps 2-5 for all 14 Log Types.
Once all 14 log types have been updated, click OK on the syslog configuration screen.

In case your environment uses log collectors, follow the steps to configure them to forward syslog to Radiant Security.

Navigate to Panorama > Collector Groups.
Click Collector Log Forwarding.
In each box for System, Configuration, User-ID, HIP Match, GlobalProtect, and IP-Tag complete the following:
- Click Add.
- Under Log Settings, fill in the following details:
  - Name: Radiant Security
  - Filter: All Logs
  - Under Syslog, Click Add and select the Syslog Server Profile (RadiantSecurity) that you created from the previous steps
Click OK to save and repeat for each Log Type. Click OK to save and repeat step 3 for each log type: System, Configuration, User-ID, HIP Match, GlobalProtect, and IP-Tag.

Lastly, remember to commit the changes by clicking the Commit button in the upper right hand corner.
Once the Commit Status progress is completed, the configured syslog formats will be used to send logs to Radiant Security.

Last updated 11 days ago