Skip to content
Find out how we support MDR.

Palo Alto PAN-OS

Log collector

Sends alerts from Palo Alto PAN-OS network security products to the Sophos Data Lake.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

Note

A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure PAN-OS to send data to the log collector.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Palo Alto PAN-OS.

    If you've already set up connections to Panorama, you see them here.

  4. In Integrations, click Add integration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Panorama. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.
  2. Enter Virtual appliance name and Virtual appliance description.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure PAN-OS to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It might take a few minutes for the OVA file to be ready.

Deploy the VM

Restriction

The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure PAN-OS

Now you configure PAN-OS to send data to the Sophos log collector on the VM.

Note

The following information is based on PAN-OS 9.1. Guides for other versions are similar, but we provide equivalent links wherever available.

There are general configuration guides by Palo Alto. See Configure Log Forwarding.

The key steps in configuring PAN-OS are as follows:

Note

Traffic, Threat and WildFire Submission logs, which are equivalent to alerts, are sent to the Sophos log collector in CEF format.

Configure a syslog server profile

To configure a profile, which defines where alerts are sent, do as follows:

  1. Select Device > Server Profiles > Syslog.
  2. Click Add and enter a Name for the profile, for example "Sophos log collector".
  3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  4. Click Add and enter the required information about the Sophos log collector:
    • Name: Unique name for the server profile, e.g. "Sophos log collector".
    • Syslog Server: Private IP address of the log collector.
    • Transport: Select UDP, TCP or SSL (equivalent to TLS) to match the log collector protocol.
    • Port: The port number that the VM is listening on for Palo Alto alerts.
    • Format: Select BSD (equivalent to RFC3164) or IETF (equivalent to RFC5424).
    • Facility: Select a syslog standard value to calculate the priority (PRI) of the syslog message. This value is not used by Sophos and can be set to any suitable value, including the default LOG_USER.

Don't click OK yet. Continue to the next section.

More resources

This video takes you through the steps given in this section.

Configure the syslog message format

Warning

The following steps provide an example for formatting alerts as CEF in Palo Alto PAN-OS version 9.1. The templates provided below may not be suitable for other versions. For CEF alert templates for specific versions of PAN-OS, see Palo Alto Common Event Format Configuration Guides.

To configure the message format do as follows:

  1. Select the Custom Log Format tab.
  2. Select Threat, paste the following into the Threat Log Format text box, and click OK:

    CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanDynamicUsrgrp=$dynusergroup_name
    
  3. Select Wildfire, paste the following into the Threat Log Format text box, and click OK:

    CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest fileType=$filetype suid=$sender msg=$subject duid=$recipient oldFileId=$reportid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid
    
  4. Click OK to save the server profile.

More resources

This video takes you through the steps in this section.

Configure Log Forwarding

You configure log forwarding in two steps:

  • Configure the firewall to forward logs.
  • Trigger log generation and forwarding.

Configure the firewall to forward logs

To configure the firewall to forward logs, do as follows:

  1. Select Objects > Log Forwarding and click Add.
  2. Enter a name to identify the profile, for example "Sophos log collector".
  3. For each log type and each severity level or WildFire verdict, select the syslog server profile created previously, and click OK.

More resources

This video takes you through the steps in this section.

For more information, see Create a Log Forwarding Profile.

Configure log generation and forwarding

To configure log generation and forwarding do as follows:

Assign the log forwarding profile to a security policy to trigger log generation and forwarding, as follows:

  1. Select Policies > Security and select a policy rule.
  2. Select the Actions tab and select the Log Forwarding profile created previously.
  3. In Profile Type, select Profiles or Groups, and then select the security profiles or group profiles required to trigger log generation and forwarding.
  4. For Traffic logs, select one or both of the Log at Session Start and Log At Session End, and click OK.

More resources

This video takes you through the steps in this section.

For more information, see Assign the Log Forwarding profile to policy rules and network zones.

Commit Changes

When configuration is complete, click Commit. Your PAN-OS alerts should appear in the Sophos Data Lake after validation.

More information

For more information on configuring Palo Alto Panorama, see the following: