/
firewall.paloalto

firewall.paloalto

Check the reference vendor documentation here.

Introduction

The tags that begin with firewall.paloalto identify events generated by Palo Alto Networks Firewall.

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

paloalto

  • config

  • system

  • threat

  • traffic

  • correlation

  • hipmatch

  • url

  • userid

The tag levels below are only used with firewall.paloalto.config

This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:

  • v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).

  • v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.

  • v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.

The tag level below is only used with

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.url

  • firewall.paloalto.threat

These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level json at the end.

CSV format tags are:

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.threats

  • firewall.paloalto.url

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

firewall.paloalto.all

firewall.paloalto.all

Union table - firewall.paloalto.all

This is a union table that collect events from a set of tables for easy access and analysis.

Learn more about these union table in this article.

  • firewall.paloalto.auth

  • firewall.paloalto.auth.leef

  • firewall.paloalto.auth.json

firewall.paloalto.auth

  • firewall.paloalto.config.json

  • firewall.paloalto.config.leef

  • firewall.paloalto.config.v2

  • firewall.paloalto.config.v3

firewall.paloalto.config

  • firewall.paloalto.correlation

  • firewall.paloalto.correlation.json

firewall.paloalto.correlation

  • firewall.paloalto.decryption

  • firewall.paloalto.decryption.json

firewall.paloalto.decryption

  • firewall.paloalto.globalprotect

  • firewall.paloalto.globalprotect.leef

  • firewall.paloalto.globalprotect.json

firewall.paloalto.globalprotect

  • firewall.paloalto.hipmatch

  • firewall.paloalto.hipmatch.json

firewall.paloalto.hipmatch

  • firewall.paloalto.iptag

  • firewall.paloalto.iptag.json

firewall.paloalto.iptag

  • firewall.paloalto.system

  • firewall.paloalto.system.json

  • firewall.paloalto.system.leef

firewall.paloalto.system

  • firewall.paloalto.threat

  • firewall.paloalto.threat.json

  • firewall.paloalto.threat.leef

firewall.paloalto.threat

  • firewall.paloalto.traffic

  • firewall.paloalto.traffic.json

  • firewall.paloalto.traffic.leef

firewall.paloalto.traffic

  • firewall.paloalto.url

  • firewall.paloalto.url.json

  • firewall.paloalto.url.leef

firewall.paloalto.url

  • firewall.paloalto.userid

  • firewall.paloalto.userid.leef

  • firewall.paloalto.userid.json

firewall.paloalto.userid

For more information, read more about Devo tags.

How is the data sent to Devo?

There are 2 ways to send this data to devo.

Via an SQS collector and using the aws_sqs_palo_alto serivce. Here is the Palo Alto Doc to set it up.

The other way is via Relay.

Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The event type is determined by the source port specified when creating the rule and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.

Define the rule using the following values (the port number can be any free port on your relay):

Relay rule 1 - CSV events

  • Source port 13004

  • Source data([^,]+,){3}([^,]+)

  • Target tagfirewall.paloalto.\\D2

  • Target message\\D0

Check the Sent without syslog tag and Stop processing checkboxes.

Relay rule 2 - LEEF events

  • Source port 13004

  • Source dataLEEF:(?:[^\|]+\|){4}([^\|]+)\|.*$

  • Target tagfirewall.paloalto.\\D1.leef

Check the Sent without syslog tag and Stop processing checkboxes.

Note that the number between curly braces in the rules above may vary depending on your firewall version and the format of your events. Contact us if you need assistance.

Palo Alto Firewall configuration

In Pan-OS, you will need to create a Syslog Server Pron Pan-OS and a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions. 

If you want to send your Palo Alto firewall events to a Devo relay that exist in a different network, check out the article about sending events to the Devo relay using SSL.

Table structure

These are the fields displayed in these tables: