Sending Palo Alto events to Devo relay using SSL
The Devo relay, also referred to as the "in-house" relay, was designed to reside within a customer's secure network, receive events over an unencrypted channel, then forward them to the Devo cloud using SSL encryption. As a result, it is not equipped to receive inbound SSL connections. Your data environment may consist of several, separate secure networks, each containing data sources whose events you want to forward to Devo via the relay.Â
To enable this, we can use a tunneling service installed on the relay machine to accept connections with SSL encryption, then forward the data to the Devo relay. This procedure uses the open-source stunnel application and is comprised of the following steps.
Generate and export the Palo Alto certificates
Certificates must be generated for the Root CA and for the remote syslog server (stunnel).
In the PAN-OS console, select Device → Certificate Management → Certificates → Device Certificates. Generate a new certificate and call it RootCA. Once generated, select the RootCA certificate in the CA Certificates table and edit its information. Select the Trusted Root CA check box, then click OK. For more information about Root CA certificates, see the vendor documentation.Â
In the same area of the Palo Alto console, generate another new certificate, this time call it SyslogCert. Enter the IP address of the machine where stunnel is installed as the Common Name, select the RootCA certificate as the Signed By value, and do not select the Certificate Authority check box.
Click Generate. Finally, click the certificate name to edit it, select the Certificate for Secure Syslog check box, and click OK. For more information about generating a certificate, see the vendor documentation.
Now, you need to export the certificates. In Device → Certificate Management → Certificates → Device Certificates., select the RootCA certificate and click Export. Choose PEM as the format. Do the same for the SyslogCert certificate.
You do not need to enter a passphrase for the RootCA certificate. However, it is required for the SyslogCert certificate.
For more information about exporting certificates, see the vendor documentation.
Copy the Palo Alto certificates to the Devo relay/stunnel machine
In the next step, you will install stunnel on the same machine as the Devo relay. To prepare to handle the SSL traffic, you need to copy the certificates to this machine and remove the passphrase from the SyslogCert certificate.
First, copy both certificates to /etc/pki/stunnel/.
Next, issue this command to remove the passphrase from the SyslogCert PEM file so that it is not required for every connection.
cat cert_SyslogCert.pem | sed -n '/-----BEGIN CERTIFICATE/,/-----END CERTIFICATE-----/p' > cert_SyslogCert_nopassphrase.pem && openssl rsa -in cert_SyslogCert.pem -out cert_SyslogCert_nopassphrase.key && cat cert_SyslogCert_nopassphrase.key >> cert_SyslogCert_nopassphrase.pem
Install and configure stunnelÂ
You need to install stunnel on the machine running the Devo relay, then set it up to manage the inbound SSL connections and forward data received to the relay.Â
Set up the Devo relay rule
You will need to set up just one type-4 relay rule that uses a regular expression and capturing groups to isolate data contained in the inbound event to build the correct Devo tag.Â
Source port →
13005
Source data →Â
^[^,]+,[^,]+,[^,]+,([^,]+).*$
Target tag →Â
firewall.paloalto.\\D1
Select the Stop processing and Sent without syslog tag checkboxes
Once you add the rule, the relay is prepared to receive events from stunnel and forward them correctly to the Devo cloud.
Set up stunnel as remote syslog server on Palo Alto
Stunnel is already set up to receive SSL encrypted events and forward them to the Devo relay where the new rule will apply the correct tag and send the events onto the Devo cloud. All that remains is to configure the sending of events from Palo Alto to stunnel. To do so, stunnel has to be set up as a syslog server on Palo Alto.
In Palo Alto, go to Device → Server Profiles → Syslog and click Add. Set up the new profile being sure to specify the following:
Syslog server - The IP address of the machine on which stunnel is installed.
Port - The port on which stunnel will listen for inbound SSL connections (in our example, 6514).
You can enter any name you like and accept the default values for the other fields.
For more information about syslog forwarding, see the vendor documentation.
Â