Palo Alto Firewall Syslog Setup and Configuration for Alerts – Red Canary help

Issue

How to setup Palo Alto Firewall syslog to send data to Red Canary Alerts?

Environment

Palo Alto Firewall (Pan OS)

Red Canary Alerts

Resolution

Palo Alto Networks firewall syslog background

Palo Alto Networks allows network admins to configure syslog to be sent via UDP, TCP and SSL while allowing for destination port customization. For PAN specific documentation see this. A customer controlled PAN self signed certificate is created with a key and securely transported to Red Canary.

You can test the firing of THREAT detections using the following PAN link for XSS.

In testing, it was observed that in order for the firewall to "see" the test XSS attempt a prerequisite was that SSL decryption needs to be in place.

Any questions should be directed to your Red Canary Support team.

Steps necessary to configure the Palo Alto Networks device

Follow the PAN provided syslog steps 1-4

Optional certificate authority creation

If one is not already present, PAN allows for the firewall to act as certificate authority.

For specific steps in creating a certificate authority on a PAN device see this.

Root certificate authority example,

Screen_Shot_2021-03-24_at_3.39.20_PM.png

Will result in the following certificate authority example,

Screen_Shot_2021-03-24_at_3.41.00_PM.png

Syslog certificate creation

Using the local PAN device as a certificate authority, follow the following steps to create a customer controlled certificate that will be used mutually for authentication.

Select Device -> Certificate Management -> Certificates -> Device Certificates and click Generate at the bottom.
Enter a Name for the certificate.
In the Common Name field, enter the Red Canary provided FQDN of the destination address. An example is prod1-use2-12345678.prod1.collectors.redcanary.io.
In Signed by, select the trusted CA or the self-signed CA that the syslog server and the sending firewall both trust.
- -The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
n the Expiration (days) field place the value that you will want the certificate to be valid for before issuing a new certificate. For example, the max value is 7300 days.

Screen_Shot_2021-03-24_at_3.42.26_PM.png

5. Click Generate. The firewall generates the certificate and key pair.

6. Click on the certificate created in the previous step and select Certificate for Secure Syslog, then OK.

Screen_Shot_2021-03-24_at_3.46.31_PM.png

At this point your CA and certificate should look similar to the following,

Screen_Shot_2021-03-24_at_3.47.34_PM.png

7. Put a check on the left hand side of the certificate just created and click Export Certificate.

8. Put check in the Export private key box. Enter a passphrase twice that will be shared with Red Canary, click OK.

Screen_Shot_2021-03-24_at_3.48.39_PM.png

9. Take the PEM certificate and passphrase from the previous steps, You then add the output from the PAN device(s) into the appropriate Screen_Shot_2021-03-24_at_3.49.36_PM.png Alert Source.

Cause

Trouble setting up or configuring PAN OS to send Syslogs to Alert Center.