# Palo Alto Panorama (syslog)

In this guide, you will set up Panorama to forward Palo Alto Firewall events to Radiant Security through TLS Syslog.

### Prerequisites

* [ ] Palo Alto Firewalls *must* be forwarding events to Panorama
* [ ] Panorama: `Administrator`
* [ ] Custom log formats provided from Radiant Security

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select the **Palo Alto Networks Firewall** option and then click **Data Feeds**.
4. Under **Select your data feeds**, select the **Palo Alto 9.1 Firewall** data feed and then click **Credentials**.
5. Under **Credential Name**, give the credential an identifiable name (e.g. `PAN Credentials`). If you already have a credential in place, select it from the drop-down menu. Click **Credentials**.
6. In the **Connector tag** field, enter a random value. This value will act as the salt to randomize the unique **Token** you’ll download in the next step.
7. Click **Add Connector**.
8. Save the **Token** value or use the **Download** **Files** option to save it as a SSL certificate or token file. This token will be used in the next section.
9. Click **Done** to save your changes.

### Upload the certificate to Panorama

1. Login to your Panorama and navigate to **Panorama** > **Certificate Management** > **Certificates**
2. Click **Import**
3. Under **Import** **Certificate**, fill in the following details:
   * **Certificate Name**: `Radiant Security Syslog CA`
   * **Certificate File**: Upload the certificate file that you created and saved in the previous section
   * **File Format**: Base64 Encoded Certificate (PEM)
4. Click **OK** to save the CA certificate.

### Configure the syslog server

1. Navigate to **Panorama** > **Server Profiles** > **Syslog** and click **Add.**
2. Under **Syslog Server Profile**, for **Name** enter `Radiant Security` and fill in the following details:
   * **Syslog Server**: `cluster.syslog.radiantsecurity.ai`
   * **Transport**: SSL
   * **Port**: `6514`
   * **Format**: BSD
   * **Facility**: `LOG_USER`
3. Then, click the **Custom Log Format** tab.
4. In the **Log Type** column, for each **Log Type** click on the name and paste the corresponding log format for that log type on the **Config** **Log** **Format** text box. The log formats can be found **Custom Log** file that you created during the data connector setup.
5. Click **OK** to save the configuration.
6. Repeat **steps 2-5** for *all* 14 **Log Types**.
7. Once all 14 log types have been updated, click **OK** on the syslog configuration screen.

### Configure Panorama log settings

1. Navigate to **Panorama** > **Log Settings**.
2. In each box for **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag** complete the following:
   * Click **Add**
   * Under **Log** **Settings**, fill in the following details:
     * **Name**: Radiant Security
     * **Filter**: All Logs
     * Under **Syslog**, Click **Add** and select the **Syslog Server Profile** (**RadiantSecurity**) that you created from the previous steps
   * Click **OK** to save and repeat for each **Log Type.**
   * Navigate to **Objects** > **Log Forwarding**.
   * Click **Add**.
   * Under **Log** **Settings**, fill in the following details:
     * **Name**: Radiant Security
     * Add a **Match List**
     * Under **Match List,** select the following **Log Type**: **auth**, **data**, **threat**, **traffic**, **tunnel**, **URL**, and **WildFire**
     * Under **Syslog**, Click **Add** and select the **Syslog Server Profile** (**RadiantSecurity**) that you created in the previous section

### Configure log collectors log settings

In case your environment uses log collectors, follow the steps to configure them to forward syslog to Radiant Security.

1. Navigate to **Panorama** > **Collector Groups**.
2. Click **Collector Log Forwarding.**
3. In each box for **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag** complete the following:
   * Click **Add**.
   * Under **Log** **Settings**, fill in the following details:
     * **Name**: `Radiant Security`
     * **Filter**: `All Logs`
     * Under **Syslog**, Click **Add** and select the **Syslog Server Profile** (**RadiantSecurity**) that you created from the previous steps
4. Click **OK** to save and repeat for each **Log Type. C**lick **OK** to save and repeat **step 3** for each log type: **System**, **Configuration**, **User-ID**, **HIP** **Match**, **GlobalProtect**, and **IP-Tag**.

### Commit changes

1. Lastly, remember to commit the changes by clicking the **Commit** button in the upper right hand corner.
2. Once the **Commit Status** progress is completed, the configured syslog formats will be used to send logs to Radiant Security.