Documentation Center
AlienVault® USM Appliance™

Palo Alto Networks PAN-OS

When you configure Palo Alto Networks PAN-OS to send log data to USM Appliance, you can use the Palo Alto Networks PAN-OS plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Palo Alto Networks
Device Type Firewall
Connection Type Syslog
Data Source Name paloalto
Data Source ID 1615

Integrating Palo Alto Networks PAN-OS

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Appliance Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Appliance

  1. Create a syslog server profile on the firewall:

    1. Go to Device > Server Profiles > Syslog.

    2. In the Profile Name field, enter a name for the profile (for example, USM Appliance).

      Click Add, then enter a name for the syslog server (USM Appliance Sensor), as well as other details:

      • Name of the syslog server — Typically, the name of the USM Appliance Sensor
      • Syslog server — IP address of the USM Appliance Sensor
      • TransportUDP, TCP, or SSL
      • Port514 for UDP or TCP
      • Format — BSD (default) or IETF

        Note: In some instances, some users have experienced Palo Alto IETF syslog messages coming through with incomplete fields. If you find that the event descriptions from this plugin aren't being parsed correctly, try changing the format to BSD.

      • Facility — Select the value that maps to how the USM Appliance Sensor uses the facility field to manage messages.

        For details on the facility field, see RFC 3164 (BSD format).

    3. Click OK.

      To make integration with external log parsing systems easier, the firewall allows you to customize the log format. It also allows you to add custom Key: Value attribute pairs.

      Note: To configure custom formats, go to Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.

  2. Create a log forwarding profile:

    1. Go to Objects > Log forwarding > Add.

    2. Complete the required details:

      • Name: Type a profile name. This name appears in the list of log forwarding profiles when defining security policies.

      • Syslog: Select the syslog server profile to specify additional destinations to which the traffic log entries should be sent.

    3. Click OK.

    Your log forwarding profile should now be created.

  3. Use the log forwarding profile in your security policy.

    1. Go to Policies > Security.

    2. Select the rule for which log forwarding should be applied.

    3. Select the Actions tab, then select your log forwarding profile from the Log Forwarding list, on the right side of the page.
    4. Verify that Log at Session End is selected.

    5. Click OK.

      After clicking OK, notice the forwarding icon in the Options column of your security rule.

    6. Click Commit.

Plugin Enablement

For plugin enablement information, see Enable Plugins.


For troubleshooting, refer to the vendor documentation: