Skip to content

Palo Alto

Tested Versions: 8.1.0

Chronicle supports ingesting Palo Alto Firewall Traffic and Threat logs in order to visualize web traffic. Chronicle requires only a very simple syslog configuration along with a Chronicle Forwarder.

Chronicle Data Types

  • Firewall
  • Web Proxy

Requirements

  • Chronicle Forwarder

Configuration

Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK

Syslog Server Profile Setup

  1. Navigate to Device > Server Profiles > Syslog and Add a new syslog profile. palo1
  2. Enter a name for the syslog profile.
  3. Enter a a name for the syslog server and fill in the details for the syslog endpoint as provided by CYDERES. The log format will be BSD. palo2 Note: if sending to a CYCLOPS forwarder, please obtain a port number from CYDERES. Do not use port 514.

Log Forwarding Profile Setup

  1. Navigate to Objects > Log forwarding and Add a new log forwarding profile. palo3
  2. Enter a name for the log forwarding profile.
  3. In the Traffic Settings and Threat Settings configuration boxes, select the syslog server profile in the 'Syslog' column on the right.
  4. Once this configuration has been committed, log forwarding profile can now be used in rules to forward logs to the syslog server.

    palo4

MITRE ATT&CK Coverage

View in the ATT&CK Navigator

Palo Alto Coverage