Palo Alto Networks PAN-OS 6.1 CEF Configuration Guide

Summary:

This document outlines the configuration process for Palo Alto Networks (PAN) firewalls to send Syslog events in Common Event Format (CEF) for use with HP ArcSight. The PAN-OS version 4.0.0 or higher is supported, requiring setting the device IP address and port number for sending logs to a remote syslog server. Here’s how to configure it: 1. **Login to PAN-OS**: Access your PAN-OS interface by entering its management IP address into a web browser. Use default credentials (username: admin, password: ). 2. **Navigate to System Settings**: In the main menu, click on "System" > "Settings". Here, you will find the option for "Syslog Servers." 3. **Configure Syslog Server Details**: Click on "Add new syslog server" and fill in the fields as follows: - **Name**: Give a name to your syslog server configuration (e.g., "ArcSight"). - **Server Address**: Enter the IP address of the ArcSight server where you want to send logs. - **Port Number**: Set this to 514 or another port number that is open on both PAN-OS and ArcSight systems for unencrypted traffic, or adjust it to a higher secure port if encryption is configured (e.g., 6514). - **Transport Protocol**: Select "UDP" unless you have an NTP server available for TCP which would be "TCP". If TLS/SSL security is required, ensure the correct certificates are configured as well. - **Local Interface** (optional): Choose a specific network interface to use when sending logs over the selected protocol. - **VSYS** (optional): Specify if this syslog server configuration should apply only to certain virtual systems (VSYS) within your firewall, or leave it set to "default" for all VSYS. 4. **Enable Logging**: In the same section under "Syslog Servers", check the box next to the newly created syslog server's name and then click on "Update". This will enable logging for events (such as threat alerts) to be sent to ArcSight via Syslog, using CEF format. 5. **Verify Configuration**: Ensure that logs are being received by the remote Syslog server without errors. You can do this by checking the status and recent messages in the ArcSight system where the logs are supposed to arrive. 6. **Adjust Settings for Optimal Performance or Security**: Depending on your network setup, you might need to adjust settings like IPFIX (IP Flow Information Export) parameters to optimize data throughput between PAN-OS and ArcSight. Consider enabling TLS encryption if higher security is required as specified in the next section: - For TCP or SSL/TLS based communication, go to "System" > "Settings" > "Network" > "Virtual IPs" where you can configure a certificate for secure Syslog traffic. This involves generating self-signed certificates and assigning them to specific interfaces, then setting up TLS profiles in the syslog server configuration under "Transport Protocol" settings. 7. **Monitor Logs Consistently**: Regularly review logs in ArcSight to ensure they are being captured correctly and that there's no degradation in performance due to network issues or other factors impacting the log transfer process. Implement proper error handling mechanisms as part of your incident response strategy, including automated alerts for failed log transmissions and immediate manual intervention when needed. By following these steps, you can successfully configure PAN-OS to send Syslog events in CEF format to an external syslog server like HP ArcSight, enhancing your organization's security operations with centralized logging and analytics capabilities.

Details:

The document titled "PAN-OS 6.1 CEF Connector Configuration Guide" is provided for configuring Palo Alto Networks' next-generation firewalls to collect Syslog events in the Common Event Format (CEF) format, intended for use with HP ArcSight. The guide specifies that PAN-OS version 4.0.0 or higher is supported and outlines steps for configuration, including setting the device IP address in the Syslog header and creating a server profile for Syslog events. This document outlines the process of configuring a Syslog server on a Palo Alto Networks (PAN-OS) device to support custom CEF-style log formats for various types such as traffic, threat, config, and system. The steps include adding a Syslog server with details like Name, IP address, Transport, Port, and Facility. Afterward, users should define custom log formats on the Custom Log Format tab by selecting specific log types (Config, System, Threat, Traffic, HIP Match), using ArcSight CEF as a template for formatting. The process involves: 1. Entering a Name, IP address, Transport type, Port number, and Facility for the Syslog server in the Servers tab. 2. Customizing log formats on the Custom Log Format tab by selecting various log types to create custom formats based on ArcSight CEF standards. This includes mapping event fields similar to default format specifications. 3. Handling special characters in logs using escaping options when necessary. 4. Saving and committing the configurations after defining or modifying formats. The document provides specific examples of CEF-style log formats for each type, such as traffic logs with detailed fields like NAT addresses, ports, protocol types, action results, sent/received bytes, packets, session details, etc., along with optional HTTP headers if enabled. The table at the end outlines the format used during certification for each log type, including any specific field mappings or formatting rules. The note emphasizes that due to PDF layout constraints and better text editing features, direct copying of message formats from the PAN-OS web interface to a text editor is recommended before further pasting into other applications, ensuring proper formatting and character handling without loss in data integrity. The document "Device Event Mapping to ArcSight Data Fields" provides a detailed mapping of syslog messages generated by Palo Alto Networks firewalls to ArcSight CEF (Common Event Format) data fields. It outlines how vendor-specific event definitions from the device are sent to the ArcSight SmartConnector and subsequently mapped to specific ArcSight data fields. The table includes prefix fields and their values for Syslog messages, including:

• **Version**: Identifies the version of the CEF format (Value: 0).

• **Device Vendor**: Specifies the device vendor as "Palo Alto Networks".

• **Device Product**: Indicates the product as "PAN-OS".

• **Device Version**: Shows the specific PAN-OS version, e.g., '6.1.0'.

• **Signature ID**: A unique identifier for each event type (e.g., $subtype for traffic events).

• **Name**: A human-readable description of the event.

• **Severity**: Reflects the importance of the event on a scale from 0 to 10, with 10 indicating the most important.

Additionally, there are extension dictionary fields which include:

• **Device Action**: Describes the action mentioned in the event (e.g., $action for traffic events).

• **Application Protocol**: Specifies the application-level protocol, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMAP, IMAPS (e.g., $app for Application Protocol).

• **Device Event Category**: Represents the category assigned by the device (e.g., $eventid for System events).

• **SessionID**: Indicates session IDs with labels such as $sessionid and detailed rules like before or after change details.

• **URL Category**: Specifies URL categories related to events.

• **Virtual system (Vsys)**, Source zone, Destination zone, LogProfile: These fields indicate virtual systems and zones defined on the device.

These mappings help in integrating Palo Alto Networks firewalls with ArcSight for better log management and analysis. This document provides a detailed explanation of various fields used in Palo Alto Networks (PAN) devices to log and report network events, particularly those related to email communications and file transfers that are forwarded for WildFire analysis. The fields include destination IP address (dst), destination user name (duser), device host name (dvchost), external ID (externalId), filename (fname), file type (fileType), total bytes (flexNumber1), message (msg), protocol (proto), reason (reason), request URL (requestURL), client application (requestClientApp), request context (requestContext), and receipt time stamp (rt). The fields are categorized under specific keys such as $dst, $dstuser, $host, $seqno, $filetype, $bytes, $opaque, $path, $module, $contenttype, and $cef-formatted. Each field has a defined data length and is used to provide detailed information about the event being logged. For example, the destination IP address (dst) is an IPv4 address between 0 and 65535 that identifies the recipient of the email or file transfer in an IP network. The destination user name (duser), a string up to 1023 characters, provides information about the person associated with the event at the destination. The device host name (dvchost) is used for fully qualified domain names (FQDN) related to the device node and can be as long as 1023 characters. The external ID (externalId) represents a unique identifier used by the originating device, often associated with increasing numbers related to events. Other fields such as filename (fname), file type (fileType), total bytes transferred (flexNumber1), and message (msg) provide specific details about files or messages involved in the event. The protocol used (proto) is indicated by a three-letter name, while reason (reason) provides information on why a session terminated. The request URL (requestURL) captures the web address accessed during the request, with additional details like client application (requestClientApp), and description of content (requestContext). The receipt time stamp (rt) records the time when the event was received in a specific format. Overall, this document serves as a comprehensive guide to understanding how different types of data are logged and reported for network events within PAN devices, particularly those involving email communications or file transfers that are analyzed by the WildFire service. This text appears to be a documentation or summary related to network monitoring and security tools, possibly from Palo Alto Networks (PAN). It details various fields used in the Common Event Format (CEF) for event logging. Here's a summarized breakdown of what each field represents: 1. **IPv4 Addresses**:

• `host.domain.com` or just `host`: Identifies the host on an IP network, possibly including subdomains.

• `sourceTranslated Ipv4`: An IPv4 address that identifies where an event takes place in an IP network. Example: "192.168.10.1".

• `src sourceAddress Ipv4`: Another IPv4 address used to identify the source of an event, which could be a device or system involved in the event.

2. **Port Numbers**:

• `$natsrc`, `$natsport`, and `$sport`: These represent translated port numbers after being filtered by firewalls. Valid port numbers range from 0 to 65535.

3. **Time Stamps**:

• `startTime` (time_generated): The time when the event started, formatted in a readable date-time format like "MMM dd yyyy HH:mm:ss" or as milliseconds since January 1st, 1970.

4. **User and Sender Information**:

• `suid sourceUserId` (only for WildFire): Specifies the sender of an email determined to be malicious by a firewall.

• `suser sourceUserName`: Identifies the source user by name, with the option to include email addresses as well.

5. **HTTP Headers and Network Traffic**:

• `$referer` (PanOSReferer): The Referer field in an HTTP header that contains the URL of the previous page visited by a user before reaching the current page.

• `$xff` (PanOSXff): The X Forwarded For field in an HTTP header, which indicates the IP address of the user who requested a web page through a proxy server.

• `PanOSPacketsReceived` and `PanOSPacketsSent`: Counts of packets transferred inbound and outbound between two points on a network.

Each field is crucial for detailed logging in cybersecurity environments to trace malicious activities, understand traffic patterns, and maintain the security posture of networks.