Palo Alto Networks PANOS 7.0 CEF Configuration Guide 2016

Summary:

This document outlines a guide to configure Palo Alto Networks (PAN) devices to support CEF-formatted Syslog events specifically for HP's ArcSight product, requiring PAN-OS version 7.0 or higher. The configuration involves setting up a new syslog server profile with properties such as name and location, adding servers with specific IP addresses, selecting transport protocols and ports, customizing log formats using ArcSight CEF standards, specifying event mappings, escaping special characters, and defining detailed fields like session IDs, protocol usage, source/destination addresses, user identities, application data, URLs, file paths, and more. The document also provides details on how to map PAN-OS firewall event definitions to ArcSight CEF data fields for better integration within a SIEM system.

Details:

The document outlines a guide for configuring Palo Alto Networks (PAN) devices to support CEF-formatted Syslog events. It specifies that PAN-OS version 7.0 or higher is required and provides information on how to configure these devices for event collection by HP's ArcSight product, which includes details on the certification process and revision history of updates from Palo Alto Networks (Palo Alto) and HP. The document begins with a disclaimer regarding the informational nature of the guide and its subject to change without notice. It then discusses how events generated by PAN-OS are compliant with HP ArcSight CEF requirements, ensuring compatibility for processing through the ArcSight product. The event content is deemed to meet SmartConnector standards, suitable for use in correlation rules, reports, and dashboards. Key updates across different versions of PAN-OS include enhancements to threat logs (e.g., adding fields like Cloud, PCAP-ID, File Digest, OS to HIP logs), traffic logs (adding Session End Reason), threat logs (splitting subtype and threat ID into separate event fields), system logs (removing unnecessary event IDs from headers), and config logs (replacing placeholders with actual device and host information). Lastly, the document provides support contact information for Palo Alto Networks and instructions on using it in cases where issues are outside of ArcSight team’s ability to assist. The guide concludes by outlining steps for configuring a PAN-OS firewall to send CEF formatted Syslog events, pointing users to additional information in the Panorama Administrator's Guide. This summary outlines the steps and details for configuring a Syslog server profile in PAN-OS to use CEF (Common Event Format) logging. The process involves several steps, including setting up a new syslog server profile, defining its properties such as name and location, adding servers with specific IP addresses, selecting transport protocols and ports, and customizing log formats using ArcSight CEF standards for different types of logs (Config, System, Threat, Traffic). The configuration includes specifying details like event mappings, escaping special characters in the format, and defining detailed fields such as session IDs, protocol usage, source/destination addresses, user identities, application data, URLs, file paths, and more. The process concludes with saving configurations and committing them for implementation. This document discusses the mapping of Palo Alto Networks firewall event definitions to ArcSight CEF data fields, specifically for Syslog messages generated by firewalls running PAN-OS 7.0.0 and later versions. The table provides details on prefix fields and their values, which include identifying information such as device vendor (Palo Alto Networks), device product (PAN-OS), device version, event type (e.g., traffic, threat, config, system, HIP match), and severity. It also covers custom fields like deviceAction, ApplicationProtocol, deviceEventCategory, SessionID, Packets, Elapsed time, Rule String1, URL category, and Object Category. These mappings help in correlating Palo Alto Networks-specific events with ArcSight CEF format for better integration and analysis within a security information and event management (SIEM) system. This text provides a detailed list of data fields commonly found in logs generated by Palo Alto Networks devices, particularly those related to security events and network traffic. The fields include various attributes such as system information, network details, user activity, file metadata, and more. Here's an overview of the main points: 1. **System Information**:

• `deviceExternalId`: A unique identifier for the device generating the event (e.g., serial number).

• `deviceInboundInterface` and `deviceOutboundInterface`: Interface names through which data entered and left the device, respectively.

• `deviceHostName`: Fully qualified domain name (FQDN) of the device node, useful for identifying the host system.

2. **Network Details**:

• `src`: Source IP address.

• `dst`: Destination IP address.

• `dpt`: Destination port number.

• `proto`: Transport layer protocol (e.g., TCP, UDP).

• `destinationTranslatedAddress` and `destinationTranslatedPort`: Translated network address and port.

• `natdst`, `natdport`: Network address translation details.

3. **User Activity**:

• `dstuser`: Destination user identified in the event.

• `destinationUserName`: User name associated with the destination.

4. **File Metadata**:

• `filename`: Name of the file, which can be specific to certain types of events (e.g., malware samples).

• File-related details such as `filePath`, `fileId`, `fileHash` are also included if applicable to the event type.

5. **Traffic Metrics**:

• `bytesIn`: Number of bytes transferred inbound.

• `bytesOut`: Number of bytes transferred outbound.

6. **Security and Audit Events**:

• `reason`: Reason for audit events, providing details about why an action was taken (e.g., "Bad password", "Unknown User").

• `msg`: A detailed message providing additional information about the event.

• Logs can be correlated using various attributes like `LogProfile`, which might specify a log profile used for correlation and analysis.

7. **Time Stamps**:

• `rt receiptTime`: Timestamp indicating when the event was received, formatted in standard or epoch time.

8. **Custom Fields**:

• Some fields are customizable based on specific configurations or event types (e.g., `$from` for source zone, `$to` for destination zone).

This summary provides a basic framework for understanding the data contained within Palo Alto Networks security logs, which can be crucial for forensic analysis and real-time monitoring of network activities. The document provides information on various fields and their descriptions within a specific event format used in network monitoring, particularly relevant for Palo Alto Networks devices. Here's a summary of each key term or concept discussed: 1. **HIP Match**: Refers to an event that occurs within an IP network. It includes details like machine name ($machinename), host config ($host) which should be fully qualified domain names associated with the source node, and translated IPv4 address (sourceTranslated Ipv4). 2. **Port Translated by a Firewall**: The port number after translation by a firewall is specified as $natsport or $sport, where valid numbers range from 0 to 65535. 3. **Source Address in an IP Network**: Identified as sourceAddress ($src) and formatted as an IPv4 address (sourceTranslated Ipv4), which helps locate the event's origin within the network. 4. **Start Time of Event**: Referred to as startTime ($start), this is recorded using a timestamp format that includes month, day, year, hour, minute, and second or milliseconds since January 1st, 1970. 5. **Source User Identification**: The user who initiated the event is identified by sourceUserName ($suser), which can include email addresses as part of the username. 6. **Custom Dictionary Extensions**: Additional fields for more detailed information such as number of packets received/sent (PanOSPacketsReceived/Sent), device group hierarchy data (PanOSDG11-14) which helps in understanding the network infrastructure's location within a larger system, and virtual system name (PanOSVsysName). These fields are crucial for detailed analysis and troubleshooting of network activities and events logged by Palo Alto Networks devices.