...
In the PAN-OS console, select Device → Certificate Management → Certificates → Device Certificates. Generate a new certificate and call it RootCA. Once generated, select the RootCA certificate in the CA Certificates table and edit its information. Select the Trusted Root CA check box, then click OK. For more information about Root CA certificates, see the vendor documentation.
  |   |
In the same area of the Palo Alto console, generate another new certificate, this time call it SyslogCert. Enter the IP address of the machine where stunnel is installed as the Common Name, select the RootCA certificate as the Signed By value, and do not select the Certificate Authority check box.
...
Install and configure stunnel
You need to install stunnel on the machine running the Devo relay, then set it up to manage the inbound SSL connections and forward data received to the relay.
...
Source Port → 13005
Source Data → ^[^,]+,[^,]+,[^,]+,([^,]+).*$
Target Tag → firewall.paloalto.\\D1
Select the Stop Processing and Sent without syslog tag check boxes
...
checkboxes
Once you add the rule, the relay is prepared to
...
recieveievents from stunnel and forward them correctly to the Devo cloud.
Set up stunnel as remote syslog server on Palo Alto
Stunnel is already set up to receive SSL encrypted events and forward them to the Devo relay where the new rule will apply the correcttag correct tag and send the events on to onto the Devo cloud. All that remains is to configure the sending of events from Palo Alto to stunnel. To do so, stunnel has to be set up as a syslog server on Palo Alto.
...