> For the complete documentation index, see [llms.txt](https://help.radiantsecurity.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.radiantsecurity.ai/radiant-connectors/network-security/palo-alto-networks/palo-alto-networks-panorama.md). # Palo Alto Networks Panorama Palo Alto Networks Panorama is a centralized management and log aggregation platform that consolidates logs from Palo Alto firewalls across an environment. Connecting Panorama forwards aggregated firewall traffic, threat, and system logs to Radiant Security over TLS syslog. Radiant uses the log data to triage firewall and threat alerts in context, giving analysts faster verdicts on whether observed traffic reflects a real compromise or routine network activity. {% hint style="info" %} To forward logs directly from Palo Alto firewalls without Panorama, refer to [Palo Alto Networks Firewall](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/palo-alto-networks-firewall). {% endhint %} ### Prerequisites * [ ] Admin access to Palo Alto Networks Panorama * [ ] Palo Alto firewalls already forwarding logs to Panorama * [ ] Network egress from Panorama to `cluster.syslog.radiantsecurity.ai` on TCP port `6514` ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**. 3. Search for and select **Palo Alto Networks Firewall**, then click **Data Feeds**. 4. Under **Select your data feeds**, select **Palo Alto Firewall 9.1**, then click **Credentials**. 5. Under **Credential Name**, enter an identifiable name (e.g., `PAN Credentials`). To reuse an existing credential, select it from the drop-down menu. 6. In the **Connector tag** field, enter a random value. This value acts as the salt to randomize the **Token** you download in the next step. 7. Click **Add Connector**. 8. Save the **Token** value, or use **Download Files** to save the SSL certificate and token files. You use these in the next sections. 9. Click **Done** to save your changes. ### Upload the certificate to Panorama 1. Log in to Panorama and navigate to **Panorama** > **Certificate Management** > **Certificates**. 2. Click **Import**. 3. Under **Import Certificate**, configure: * **Certificate Name**: `Radiant Security Syslog CA` * **Certificate File**: the SSL certificate file you downloaded during the data connector setup * **File Format**: Base64 Encoded Certificate (PEM) 4. Click **OK** to save the CA certificate. ### Configure the syslog server 1. Navigate to **Panorama** > **Server Profiles** > **Syslog**, then click **Add**. 2. Under **Syslog Server Profile**, in **Name**, enter `Radiant Security`, then configure: * **Syslog Server**: `cluster.syslog.radiantsecurity.ai` * **Transport**: `SSL` * **Port**: `6514` * **Format**: `BSD` * **Facility**: `LOG_USER` 3. Click the **Custom Log Format** tab. 4. In the **Log Type** column, click each log type name and paste its matching log format into the **Config Log Format** text box, then click **OK**. The log formats are in the Custom Log file you downloaded during the data connector setup. 5. Repeat step 4 for all 14 log types, then click **OK** on the syslog configuration screen. ### Configure Panorama log settings 1. Navigate to **Panorama** > **Log Settings**. 2. For each of **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag**, complete the following: * Click **Add**. * Under **Log Settings**, configure: * **Name**: `Radiant Security` * **Filter**: All Logs * Under **Syslog**, click **Add** and select the **Radiant Security** syslog server profile you created in the previous section. * Click **OK** to save. 3. Navigate to **Objects** > **Log Forwarding**, then click **Add**. 4. Under the log forwarding profile, in **Name**, enter `Radiant Security`, then add a match list. 5. Under **Match List**, select these log types: **auth**, **data**, **threat**, **traffic**, **tunnel**, **URL**, and **WildFire**. 6. Under **Syslog**, click **Add** and select the **Radiant Security** syslog server profile you created in the previous section. 7. Click **OK** to save. ### Configure log collectors log settings If your environment uses log collectors, configure them to forward syslog to Radiant Security. 1. Navigate to **Panorama** > **Collector Groups**. 2. Click **Collector Log Forwarding**. 3. For each of **System**, **Configuration**, **User-ID**, **HIP Match**, **GlobalProtect**, and **IP-Tag**, complete the following: * Click **Add**. * Under **Log Settings**, configure: * **Name**: `Radiant Security` * **Filter**: All Logs * Under **Syslog**, click **Add** and select the **Radiant Security** syslog server profile you created in the previous section. * Click **OK** to save. ### Commit changes 1. Click **Commit** in the upper-right corner to apply the changes. 2. When the **Commit Status** completes, Panorama begins forwarding logs to Radiant Security. ### Verify ingestion After Palo Alto Networks Panorama begins forwarding, confirm alerts and events are reaching Radiant. 1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs). 2. Filter by `rs_connectorType:"paloaltonw9_1"`. 3. Confirm recent alerts and events appear. {% hint style="info" %} Allow several minutes for alerts and events to be parsed, indexed, and available for search. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/network-security/palo-alto-networks/palo-alto-networks-panorama.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.