AlienVault® USM Anywhere™

Palo Alto Networks PAN-OS

When you configure Palo Alto Networks PAN-OS to send log data to USM Anywhere, you can use the Palo Alto Networks PAN-OS plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Palo Alto Networks
Device Type Firewall
Connection Type Syslog

Integrating Palo Alto Networks PAN-OS

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Anywhere

  1. Add a syslog server profile. See the PAN-OS Administrator's Guide on Configure Syslog Monitoring for instructions.

    • For Syslog Server, enter the IP address of the USM Anywhere Sensor.
    • Select the Transport protocol you want to use. USM Anywhere supports UDP, TCP, and TLS.
    • The Port number depends on the transport protocol you choose. Use 514 for UDP, 601 for TCP, or 6514 for TLS.
  2. Configure syslog forwarding on PAN-OS. See the PAN-OS Administrator's Guide on Configure Log Forwarding for instructions.

Plugin Enablement

The Palo Alto Networks Pan-OS plugin will automatically process all messages when the raw message contains the following fields








For assistance on Pan-OS syslog integration, please consult vendor documentation.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • audit_reason
  • base_event_count
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • destination_address
  • destination_nat_address
  • destination_port
  • destination_username
  • destination_zone
  • device_direction
  • email_recipient
  • email_sender
  • email_subject
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • file_hash
  • file_name
  • file_type
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • rep_device_rule_id
  • request_content_type
  • request_url
  • request_user_agent
  • session
  • source_address
  • source_nat_address
  • source_port
  • source_process_commandline
  • source_username
  • source_zone


For troubleshooting, refer to the vendor documentation: