Configure Palo Alto Collector
The Alert Logic Palo Alto collector is designed to enable Palo Alto to run our common firewall analytics on data from your Palo Alto devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Palo Alto devices will result in the creation of incidents that can be managed in the Alert Logic console.
You must complete the following to send data from your Palo Alto device(s) to Alert Logic:
Download and install the remote collector
To send data from your Palo Alto device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Palo Alto device(s).
To download and install the remote collector:
- Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
- Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Palo Alto device(s).
- While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Palo Alto device.
Configure Palo Alto device
Once the remote collector is installed, the Palo Alto device needs to be configured for log ingestion by performing three tasks:
- Create a server profile for your syslog servers.
- Create a log-forwarding profile.
- Apply the log-forwarding profile to policy rules for security zones.
Create a server profile for your syslog servers
To create a server profile for your syslog servers:
- Log into Panorama, and navigate to Device > Server Profiles > Syslog.
- Click Add and enter a name for the profile.
- Select the System Location where this profile will be made available.
- For each remote collector, click Add and complete the fields for the firewall.
- In the Syslog Server column, enter the IP address of your remote collector. You can use UDP or TCP for transport.
- Configure the port to be 1515 (or the port you have configured the remote collector to listen on.)
- In the Format column, select IETF.
- Click OK to save the profile.
Create a Log Forwarding Profile
To create a log forwarding profile:
- In Panorama, navigate to Objects > Log Forwarding.
- Click Add and enter a name for the profile.
If you want the firewall to automatically assign the profile to new Security Rules and Zones, enter default. If you do not want a default profile, or you want to override an existing default profile, enter a name that will help you identify the profile when assigning it to Security Rules and Zones.
- Click Add to create a match list profile.
- In Log Type, select Traffic.
- In the Forward Method section of the window on the bottom left, click Add and select the syslog server profile you set up earlier.
Apply Log Forwarding Profile to Policy Rules or Security Zones
To apply a log forwarding profile:
- In Panorama, select Policies > Security and edit the relevant rules.
- Select Actions and then select the log forwarding profile you created.
- Set the Profile Type to Profiles or Groups, and then select the security profiles or group profile required to trigger log generation and forwarding.
- (Optional) For traffic logs, select Log At Session Start and/or Log At Session End.
- Click OK to save the rule.
Verify log collection
Once you have installed the remote collector and configured the Palo Alto device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.
- Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
- Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
- Click Search.
- Verify logs display for the remote collector.