⌘Ctrlk

Palo Alto Networks

You can configure a Palo Alto Firewall to forward logs to the ThreatDefence Syslog Forwarder for security monitoring.

Requirements

A deployed and activated ThreatDefence Syslog Forwarder VM
Administrator access to the Palo Alto Firewall

Steps

Step 1. Configure a Syslog Server Profile

In the Palo Alto Console, go to Device > Server Profiles > Syslog.
Click Add and enter a name for the profile (e.g., ThreatDefence-SIEM).

Step 2. Add a Syslog Server to the Profile

Step 3. Configure Syslog Forwarding (Traffic, Threat, Wildfire, URL, Data, Tunnel, Authentication Logs)

From the Palo Alto Console, go to Objects > Log Forwarding.
Click Add and enter a name for the Log Forwarding Profile.
- Use default if you want this profile applied to all new rules/zones.
For each Severity and Wildfire Verdict, select the Syslog Server Profile created above in the Syslog column.
Click OK to save.

Step 4. Assign Syslog Forwarding Profile to Security Policy

Go to Policies > Security.
For each rule:
- Click the rule name.
- Go to the Actions tab.
- Enable Log at Session End.
- Under Log Setting > Log Forwarding, choose the Syslog Forwarding Profile created earlier.

Step 5. Configure Syslog Forwarding for System, Config, Correlation, GlobalProtect, HIP Match, and User-ID Logs

From the Palo Alto Console, go to Device > Log Settings.
For System and Correlation logs:
- Select each Severity level → Syslog Server Profile created earlier → OK.
For Config, HIP Match, and Correlation logs:
- Edit each section → Select the Syslog Server Profile → OK.

Step 6. Commit Changes

Click Commit to push configuration changes.

Step 7. Provide Details to ThreatDefence

Once configuration is complete, provide the following details to ThreatDefence Support at 📧 [email protected]:

Firewall make/model and OS version
Source IP address and used port number

PreviousFirewalls NextPalo Alto Networks Panorama

Last updated 4 months ago