Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Panorama

Palo Alto PAN-OS

Log collector

You must have the Firewall integrations license pack to use this feature.

You can integrate Palo Alto PAN-OS network security products with Sophos Central so that they send data to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple Palo Alto PAN-OS firewalls to the same appliance.

To do this, set up your Palo Alto PAN-OS integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Palo Alto firewall to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure PAN-OS to send data to the appliance.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To configure the integration, do as follows:

  1. Sign in to Sophos Central.
  2. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  3. Click Palo Alto PAN-OS.

    The Palo Alto PAN-OS page opens. You can configure integrations here and see a list of any you've already configured.

  4. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration setup steps appears.

Configure the VM

In Integration setup steps you configure your VM as an appliance to receive data from Panorama. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.

  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure PAN-OS to send data to your appliance.

  6. Select a Protocol. Currently, we only support UDP.

    When you configure PAN-OS to send data to your appliance, you must set the same protocol.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure PAN-OS to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure PAN-OS

Now you configure PAN-OS to send data to the Sophos appliance on the VM.

Note

The following information is based on PAN-OS 9.1. Guides for other versions are similar, but we provide equivalent links wherever available.

There are general configuration guides by Palo Alto. See Configure Log Forwarding.

The key steps in configuring PAN-OS are as follows:

Note

Traffic, Threat and WildFire Submission logs, which are equivalent to alerts, are sent to the Sophos appliance in CEF format.

Configure a syslog server profile

To configure a profile, which defines where alerts are sent, do as follows:

  1. Select Device > Server Profiles > Syslog.
  2. Click Add and enter a Name for the profile, for example "Sophos appliance".
  3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  4. In Syslog Server Profile, click Add.
  5. Enter a Name for the server profile.

  6. In Servers, enter the following information about your Sophos appliance:

    • NAME: A unique name for this server, for example Sophos appliance.
    • SYSLOG SERVER: The IP address of your appliance. This must be the same as syslog IP address you entered in Sophos Central.
    • TRANSPORT: Select the same transport protocol you set in Sophos Central.
    • PORT: The port number you set in Sophos Central.
    • FORMAT: Select BSD (equivalent to RFC3164).
    • FACILITY: Select a syslog standard value to calculate the priority (PRI) of the syslog message. We don't use this value so we recommend choosing the default LOG_USER.

Don't click OK yet. Continue to the next section.

This video takes you through configuring a syslog server profile.

Configure the syslog message format

Warning

The following steps provide an example for formatting alerts as CEF in Palo Alto PAN-OS version 9.1. The templates provided below may not be suitable for other versions. For CEF alert templates for specific versions of PAN-OS, see Palo Alto Common Event Format Configuration Guides.

To configure the message format do as follows:

  1. Select the Custom Log Format tab.

  2. Select Traffic and paste the following into the Threat Log Format text box, then click OK:

    CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno reason=$session_end_reason PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cat=$action_source PanOSActionFlags=$actionflags PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSSCTPAssocID=$assoc_id PanOSSCTPChunks=$chunks PanOSSCTPChunkSent=$chunks_sent PanOSSCTPChunksRcv=$chunks_received PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanLinkChange=$link_change_count PanPolicyID=$policy_id PanLinkDetail=$link_switches PanSDWANCluster=$sdwan_cluster PanSDWANDevice=$sdwan_device_type PanSDWANClustype=$sdwan_cluster_type PanSDWANSite=$sdwan_site PanDynamicUsrgrp=$dynusergroup_name

  3. Select Threat, paste the following into the Threat Log Format text box, and click OK:

    CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanDynamicUsrgrp=$dynusergroup_name

  4. Select Wildfire, paste the following into the Threat Log Format text box, and click OK:

    CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest fileType=$filetype suid=$sender msg=$subject duid=$recipient oldFileId=$reportid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid

  5. Click OK to save the Syslog Server Profile.

This video takes you through configuring the syslog message format.

Configure Log Forwarding

You configure log forwarding in two steps:

  • Configure the firewall to forward logs.
  • Trigger log generation and forwarding.

Configure the firewall to forward logs

To configure the firewall to forward logs, do as follows:

  1. Select Objects > Log Forwarding and click Add.
  2. In Log Forwarding Profile, enter a unique name, for example Sophos appliance.
  3. Click Add.
  4. In Log Forwarding Profile Match List, enter a name for the Log Type you're forwarding. The default is Traffic.
  5. Select SYSLOG, then select the server to send the log to. This is the name of the server you added. See Configure a syslog server profile.
  6. Click OK

  7. Repeat these steps for each log type, severity level, and WildFire verdict you want to add. We recommend you add the following.

    • Traffic (default)
    • Threat
    • Wildfire

  8. Click OK.

This video takes you through configuring the firewall to forward logs.

Configure log generation and forwarding

Next you assign the log forwarding profile to a security policy to trigger log generation and forwarding. This configures log generation and forwarding.

To do this, do as follows:

  1. Select Policies > Security and select the policy you want to use.
  2. In Security Policy Rule, select Actions.
  3. In Profile Setting, for Profile Type, select Profiles.
  4. Below Profile Type, choose the security profiles you want to monitor.
  5. In Log Setting, you can select Log at Session Start and Log At Session End. Your choice depends on your environment and the logs and alerts you want to forward to Sophos.
  6. In Log Forwarding, select the profile you created. See Configure Log Forwarding.
  7. Click OK.

This video takes you through configuring log generation and forwarding.

Commit Changes

When configuration is complete, click Commit. Your PAN-OS alerts should appear in the Sophos Data Lake after validation.

More information

For more information on configuring Palo Alto Panorama, see the following: