Document toolboxDocument toolbox

firewall.paloalto

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
4 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Palo Alto Firewall configuration ]

Introduction

The tags beginning with firewall.paloalto identify events generated by Palo Alto Networks Firewall.

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define on the Devo Relay. The fourth element is only used in some specific cases.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

paloalto

  • config

  • system

  • threat

  • traffic

  • correlation

  • hipmatch

  • url

  • userid

The tag levels below are only used with firewall.paloalto.config

This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:

  • v1 - It's the default value, and also used if no value is set at this level. In this case, the parser uses the default fields order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).

  • v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.

  • v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.



The tag level below is only used with firewall.paloalto.traffic, firewall.paloalto.system, firewall.paloalto.url and firewall.paloalto.threat

These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threat can also have logs in JSON format using the tag level JSON at the end.

CSV format tags are:

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.threats

  • firewall.paloalto.url

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

firewall.paloalto.config

firewall.paloalto.config

firewall.paloalto.config.v1

firewall.paloalto.config

firewall.paloalto.config.v2t

firewall.paloalto.config

firewall.paloalto.config.v3

firewall.paloalto.config

firewall.paloalto.system

firewall.paloalto.config

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.correlation

firewall.paloalto.correlation

firewall.paloalto.hipmatch

firewall.paloalto.hipmatch

firewall.paloalto.userid

firewall.paloalto.userid

firewall.paloalto.traffic.leef

firewall.paloalto.traffic.leef

firewall.paloalto.system.leef

firewall.paloalto.system.leef

firewall.paloalto.threat.leef

firewall.paloalto.threat

firewall.paloalto.threat.json

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.threat

firewall.paloalto.url

firewall.paloalto.url

firewall.paloalto.url.leef

firewall.paloalto.url

For more information, read more about Devo tags.

How is the data sent to Devo?

Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.

Define the rule using the following values (the port number can be any free port on your relay):

Relay rule 1 - CSV events

Source port → 13004

Source data → ^(\S+\s){8}([^,]+,[^,]+,[^,]+,([^,]+).*)$

Target tag → firewall.paloalto.\\D3

Check the Sent without syslog tag and Stop processing checkboxes

Definying a relay rule with a tag with four levels

If you need to use a relay rule with a tag that includes the fourth level, you must indicate it in the Target tag field. For example, if you need to indicate v2, the target tag would be firewall.paloalto.\\D1.v2

Relay rule 2 - LEEF events

Source port → 13004

firewall.paloaltoSource data → LEEF:(?:[^\|]+\|){4}([^\|]+)\|.*$

Target tag → firewall.paloalto.\\D1.leef

Check the Sent without syslog tag and Stop processing checkboxes

Palo Alto Firewall configuration

In Pan-OS, you will need to create a Syslog Server Pron Pan-OS, you will need to create a Syslog Server Profileile for your Dfor your Devo Ro Relay, as well as the lay, as well as the necessary Log Forwarding Profiles and Securiecessary Log Forwarding Profiles and Security Policy Ruley Policy Rules.. See the vendor documentation for instructions. 

If you want to send your Palond your Palo Alto firewall eventAlto firewall events to a Devo relay that resides in a differ to a Devo relay that resides in a different network, check out the article about sending events to the Devo relay using SSL.