Document toolboxDocument toolbox

firewall.paloalto

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Palo Alto Firewall configuration ]

Introduction

The tags that begin with firewall.paloalto identify events generated by Palo Alto Networks Firewall.

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

paloalto

  • config

  • system

  • threat

  • traffic

  • correlation

  • hipmatch

  • url

  • userid

The tag levels below are only used with firewall.paloalto.config

This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:

  • v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).

  • v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.

  • v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.



The tag level below is only used with firewall.paloalto.traffic, firewall.paloalto.system, firewall.paloalto.url and firewall.paloalto.threat

These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level JSON at the end.

CSV format tags are:

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.threats

  • firewall.paloalto.url

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

firewall.paloalto.config

firewall.paloalto.config

firewall.paloalto.config.v1

firewall.paloalto.config

firewall.paloalto.config.v2t

firewall.paloalto.config

firewall.paloalto.config.v3

firewall.paloalto.config

firewall.paloalto.system

firewall.paloalto.config

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.correlation

firewall.paloalto.correlation

firewall.paloalto.hipmatch

firewall.paloalto.hipmatch

firewall.paloalto.userid

firewall.paloalto.userid

firewall.paloalto.traffic.leef

firewall.paloalto.traffic

firewall.paloalto.system.leef

firewall.paloalto.system

firewall.paloalto.threat.leef

firewall.paloalto.threat

firewall.paloalto.threat.json

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.url

firewall.paloalto.url

firewall.paloalto.url.leef

firewall.paloalto.url

For more information, read more about Devo tags.

How is the data sent to Devo?

Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The event type is determined by the source port specified when creating the rule and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.

Define the rule using the following values (the port number can be any free port on your relay):

Relay rule 1 - CSV events

  • Source port → 13004

  • Source data → ([^,]+,){3}([^,]+)

  • Target tag → firewall.paloalto.\\D2

  • Target message → \\D0

Check the Sent without syslog tag and Stop processing checkboxes.

Relay rule 2 - LEEF events

  • Source port → 13004

  • Source data → LEEF:(?:[^\|]+\|){4}([^\|]+)\|.*$

  • Target tag → firewall.paloalto.\\D1.leef

Check the Sent without syslog tag and Stop processing checkboxes.

Note that the number between curly braces in the rules above may vary depending on your firewall version and the format of your events. Contact us if you need assistance.

Palo Alto Firewall configuration

In Pan-OS, you will need to create a Syslog Server Pron Pan-OS and a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions. 

If you want to send your Palo Alto firewall events to a Devo relay that exist in a different network, check out the article about sending events to the Devo relay using SSL.

Â