AlienVault® USM Anywhere™

Palo Alto Networks PAN-OS

When you configure Palo Alto Networks PAN-OS to send log data to USM Anywhere, you can use the Palo Alto PAN-OS plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Palo Alto Networks
Device Type Firewall
Connection Type Syslog

Integrating Palo Alto Networks PAN-OS

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Anywhere

  1. Add a syslog server profile. See the PAN-OS Administrator's Guide on Configure Syslog Monitoring for instructions.

    • For Syslog Server, enter the IP address of the USM Anywhere Sensor.
    • Select the Transport protocol you want to use. USM Anywhere supports UDP, TCP, and TLS.
    • The Port number depends on the transport protocol you choose. Use 514 for UDP, 601 for TCP, or 6514 for TLS.
  2. Configure syslog forwarding on PAN-OS. See the PAN-OS Administrator's Guide on Configure Log Forwarding for instructions.

Note: The syslog messages from Palo Alto Networks Pan-OS do not include the time zone setting on the device, so the plugin assumes all time occurs in Coordinated Universal Time (UTC), which is used by most devices. If your Palo Alto Network device is using a different time zone than UTC, the time information in the eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. will appear wrong. To correct this, configure your Palo Alto Network device to use UTC instead. See PAN-OS Web Interface Reference on Device Management for instructions.

Plugin Enablement

The Palo Alto Pan-OS plugin will automatically process all messages when the raw message contains the following fields

TRAFFIC,(start|end|drop|deny)|

THREAT,(data|file|packet|wildfire|wildfire-virus|vulnerability|virus|scan|

spyware|flood|url)|

SYSTEM,(crypto|dhcp|dnsproxy|dos|general|globalprotect|ha|hw|nat|ntpd|pbf|

port|pppoe|ras|routing|satd|sslmgr|sslvpn|userid|url-filtering|vpn)|

HIP-MATCH|

CONFIG

For assistance on Pan-OS syslog integration, please consult vendor documentation.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • audit_reason
  • base_event_count
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • destination_address
  • destination_nat_address
  • destination_port
  • destination_username
  • destination_zone
  • device_direction
  • email_recipient
  • email_sender
  • email_subject
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • file_hash
  • file_name
  • file_type
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • rep_device_rule_id
  • request_content_type
  • request_url
  • request_user_agent
  • session
  • source_address
  • source_nat_address
  • source_port
  • source_process_commandline
  • source_username
  • source_zone

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html