Palo Alto Networks PANOS 4.1 CEF Configuration Guide

Summary:

The Palo Alto Networks (PAN) CEF Connector Configuration Guide outlines the process of configuring PAN-OS devices to collect events in a Common Event Format (CEF), compatible with HP ArcSight systems. This requires setting up the device through the user interface, where users select "Device" > "Syslog" > "Add" under "Server Profiles." Users must provide a server profile name and location, configure the Syslog server with its name, IP address, port (default 514), and facility (LOG_USER). The configuration involves selecting the "Custom Log Format" tab and choosing log types like Config/System/Threat/Traffic/HIPMatch to define custom formats based on ArcSight CEF. Special characters are escaped using a specific method that includes escaping backslashes and equal signs with a preceding backslash. The guide also addresses revisions, detailing updates in the direction field mapping for Threat Log and addition of Bytes In/Out fields to Traffic log from PAN-OS 4.1.0 onwards. This document maps Palo Alto Networks' event definitions to ArcSight CEF data fields effectively, ensuring proper interpretation and forwarding of logs through a SmartConnector for integration with other security monitoring tools.

Details:

The Palo Alto Networks (PAN) CEF Connector Configuration Guide provides information for configuring the PAN-OS devices to collect events in a Common Event Format (CEF), which is compatible with HP ArcSight systems. The document outlines that PAN-OS version 4.0.0 or higher supports this configuration, and it includes instructions on how to set up the device for CEF syslog event collection through the user interface. The guide explains that after opening the UI and selecting the "Device" tab, one should navigate to "Syslog," then select "Add" under "Server Profiles." In the dialog box, users need to enter a server profile name and location (Virtual System), then proceed to configure the Syslog server by providing its name, IP address, port (default 514), and facility (default LOG_USER). The configuration involves selecting the "Custom Log Format" tab and choosing the log type (Config/System/Threat/Traffic/HIPMatch) to define a custom format based on the ArcSight CEF. The certification process used specific CEF-style formats for each log type, which includes various fields such as subtype, type, receive time, deviceExternalId, source and destination addresses, users, application, zones, interfaces, log profile, session ID, and protocol details. The guide also mentions that customers can define their own CEF-style formats using an event mapping table provided in addition to the document. It is important to escape any special characters defined in the CEF format by specifying escaped characters and escape character accordingly, such as escaping backslashes and equal signs with a preceding backslash. Finally, there is a revision history section detailing updates from the first edition on February 25, 2011 (certification of CEF compliance at PAN-OS 4.0.0) to changes in the direction field mapping in the Threat Log and addition of Bytes In/Out fields to the Traffic log on January 9, 2012 for PAN-OS 4.1.0. This document provides a detailed overview of the mapping between Palo Alto Networks' event definitions and ArcSight CEF data fields. It explains that different log types, such as TRAFFIC, THREAT, CONFIG, SYSTEM, and HIP MATCH, are generated by devices like firewalls (specifically from Palo Alto Networks) and sent to ArcSight for analysis through a SmartConnector. The document then lists the prefix fields used in these logs along with their data types, meanings, and corresponding values specific to Palo Alto Networks devices. These include fields like Device Vendor, Device Product, Device Version, Signature ID, Name, Severity, act (deviceAction), app (ApplicationProtocol), cat (deviceEventCategory), cn1 (deviceCustom Number1), cn2 (deviceCustom Number2), cn3 (deviceCustom Number3), cs1 (deviceCustom String1), and cs2 (deviceCustom String2). The mapping helps in configuring the ArcSight SmartConnector to correctly interpret and forward these logs, ensuring proper integration with other security monitoring tools. Summary failed for this part. The provided text is a description of a format used for logging network activities in a system that supports the Common Event Format (CEF). CEF is a standardized log format designed to facilitate interoperability among security devices. Here's a summary of the key points: 1. **Timestamp and Time Generation**: The timestamp for each logged event follows a specific format which includes the month abbreviation (e.g., Jan, Feb), day of the month, year, hour, minute, second, or milliseconds since the epoch (January 1st, 1970). This helps in tracking when the event occurred. 2. **Source User Identification**: In the $cef-formatted-stamp activity, there is a field called `suser` which represents the source user name. This can be either an alphanumeric string or an email address and is used to identify the user who initiated the action. This information might also map into the `sourceUserName` field within the system for context in auditing and security monitoring. 3. **Additional Network Metrics**: The log includes metrics related to network activity such as the number of packets received (`PanOSPacketsReceived`) and sent (`PanOSPacketsSent`), which are integers representing inbound and outbound packet transfers across the network. 4. **Custom Dictionary Extensions**: The text also mentions a "Custom Dictionary Extensions" section where specific keys (like Extension Key Name) have associated data types, lengths, and meanings. This suggests that additional metadata can be added to the log entries through custom fields or key-value pairs defined by the system's configuration or extensions. This format is particularly useful for security operations centers (SOCs), network administrators, and any other stakeholders who need detailed information about network activities in real-time or near real-time for effective monitoring and troubleshooting.