Accenture MDR Quick Start Guide for Palo Alto NG Firewall API and Prisma Access
- KS
- Miguel Lauriano
- KM (Unlicensed)
This quick start guide will help Accenture MDR customers configure Palo Alto Networks® to send logs to the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Palo Alto | LCP | 514 (UDP) or 601 (TCP) | Default port |
Configuring Palo Alto Networks Firewall
To configure the Palo Alto Networks firewall to send logs to the LCP and collect xml reports from wildfire cloud, follow the steps below.
Create a Wildfire analysis profile.
Create a syslog server profile.
Create a log forwarding profile.
Verify the Wildfire settings.
Note: Files or email links matched to the profile rule are forwarded either to the WildFire public cloud or Wildfire private cloud, hosted with a WF-500 appliance depending on the analysis location defined for the rule.
I Create a Wildfire profile
To create a Wildfire profile, perform the following steps.
Go to Objects > Security Profiles > WildFire Analysis and click Add.
2. Enter the name and description of the profile.
3. Click Add to create a forwarding rule and enter the name.
4. Define the traffic to be forwarded to the WildFire service based on Applications, File Types, or Direction.
5. In the Analysis column, select public-cloud to forward the defined files to the WildFire cloud.
6. Click OK to save the profile.
II Create a syslog server profile.
To create a syslog server profile, perform the following steps.
Login to the Palo Alto web interface, and click the Device tab.
To open the Syslog Settings page, on the Device tab, go to Server Profiles > Syslog.
To open the New Syslog Server Profile window, at the bottom of the page, click Add.
4. In the Syslog Server Profile window, specify the following information.
In the Name text box, type the name of the LCP.
In the Syslog Server text box, type the lcp_ip_address.
From the Transport drop-down box, select TCP or UDP.
In the Port text box, type 514
From the Format drop-down list, select BSD.
From the Facility drop-down list, select LOG_USER.
Click OK to save the changes. The new details will appear in the Servers page.
III Create a log forwarding profile.
To create a log forwarding profile to send traffic, threat, and wildfire logs to the LCP, follow the steps below:
Click the Objects tab and then click Log Forwarding.
2. To add a new profile for the LCP, click Add and enter the following information on the Log Forwarding Profile page.
In the Name text box, type the name of the LCP.
In Traffic Settings and Threat Settings sections, under the Syslog column, select Syslog Server Profile Name for each severity level which was created in step 2 for the LCP.
In the WildFire Setting section, under the Syslog column, select Syslog Server Profile Name for each verdict which was created in step 2 for the LCP.
Click OK to submit the new logging profile.
Figure 1-6: The Log Forwarding Profile page.
Note: Both Accept and Deny logs play an important part in the analysis of traffic seen at the firewall. To receive the maximum benefit from a firewall logging to MDR, all rules that make up the installed firewall policy including an Explicit Deny All (also known as Clean-Up ) rule should be configured to log.
IV Verify the Wildfire settings.
To verify the Wildfire settings, perform the steps below.
Click the Device tab, click Setup, and then click WildFire.
2. In the General Settings pane, ensure that the data in the following fields is as per your requirements:
a) WildFire Server - Name of the WildFire server.
b) Maximum File Size for JARs (MB) - The maximum size supported by WildFire. Refer to the WildFire Administrator Guide for more information.
c) Maximum File Size for Executables (MB) - The maximum size supported by WildFire. Refer to the WildFire Administrator Guide for more information.
d) Maximum File Size for Android APKs (MB) - The maximum size supported by WildFire. Refer to the WildFire Administrator Guide for more information.
e) Maximum File Size for PDFs (KB) - The maximum size supported by WildFire. Refer to the WildFire Administrator Guide for more information.
f) Maximum File Size for MS Office Docs (KB) - The maximum size supported by WildFire. Refer to the WildFire Administrator Guide for more information.
g) Report Benign Files - Refer to the WildFire Administrator Guide for more information.
Note: The collector does not collect WildFire reports for Benign files; however, you can select this option to view reports on the Palo Alto Networks Firewall web interface.
3. In the Session Information Settings pane, ensure that the data in the following fields is as per your requirement: Source IP, Source Port, Destination IP, Destination Port, Virtual System, Application, User, URL, Filename.
4. Click the Management tab and in the Logging and Reporting Settings section, click the Edit icon. The Logging and Reporting Settings window appears.
5. Click the Log Export and Reporting tab and from the Syslog HOSTNAME Format drop-down list, select the IPv4-address.
6. Click OK to save the changes.
Prisma Access Configuration
If log forwarding app instance is not added, please refer below link and add forwarding app instance.
Forward Logs from Cortex Data Lake to a Syslog Server
Allow below IP communication for forwarding logs to syslog receiver based on your region.
US | 65.154.226.0/2434.67.106.64/28 |
EU | 154.59.126.0/2434.90.138.80/28 |
UK | 35.246.51.240/28 |
SG(Singapore) | 34.87.142.80/28 |
2. Sign into the hub at https://apps.paloaltonetworks.com/
3. Select the Log Forwarding app instance that you want to configure for Syslog forwarding
4. Select Syslog. Add to add a new Syslog Forwarding profile.
5. Enter a descriptive Name for the profile
6. Enter the Syslog Server IPv4 address
7. Enter the Port on which the Syslog server is listening
8. Select the Facility
9. Select the logs you want to forward:
Add to select the Log Vendor.
Select the Log Type. (After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters.)
10. Save your changes.
11. Add other log types that you would like to forward.
MxDR does not recommend any modification in Syslog field ordering. If one changes the mentioned default syslog field order will not be having necessary support from the collector as it breaks translation which is handled from default syslog order.
LCP Configuration Parameters
Table 1-2 The Palo Alto event collector (Wildfire API - 3671)properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security MDR onboarding team. |
IP Address | Palo Alto Firewall Interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the MDR onboarding team. |
Signatures | “,TRAFFIC,”, “,THREAT,”, “,CONFIG,” ,“,SYSTEM,”,“,HIPMATCH,” | MDR recommended signatures processed by the Palo Alto event collector. |
Port Number | 514 | The default port for UDP. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MDR onboarding team if this is a requirement. |
Palo Alto Software Version | PAN-OS Version | Version of PAN-OS running on device. |
Wildfire API key | Custom Value | The Wildfire API key mentioned in the PIQ. |
Wildfire URL | Custom Value | The Wildfire URL mentioned in the PIQ. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.